St. Vincent Medical Center is once again notifying patients of a data breach after experience a fourth phishing attack since December 2018.
On March 26, St. Vincent Medical Center, a part of Verity Health System, discovered that the email account of a hospital pathologist had been compromised. An investigation was immediately launched into the breach. It was discovered that the account was first compromised 11 days earlier, on March 15. It appears that the unauthorised individual gained access to the account through a successful phishing attack.
The breach investigators secured the account within hours of its discovery. While the hacker still had access to the account, they used it to send further phishing emails to internal and external email addresses. Despite the hacker’s attempts to fool other employees at St. Vincent Medical Center, the investigators determined that no further email accounts were compromised in the attack.
During the 11 days in which they had access, the hacker could have potentially accessed all of the emails, folders, and attachments associated with that account. These emails contained sensitive patient data, including demographic details, medical record numbers, Social Security numbers, diagnoses, treatments, lab data, and health plan names. Although the investigators did not find any evidence to suggest that the hacker accessed or copied this information, the possibility could not be ruled out.
As such, notifications have been sent to the affected patients, and an interim breach notification has been sent to the California Attorney General.
This incident is the fourth phishing attack experienced by St. Vincent Medical Center in recent months, following two attacks in late December 2018 and another attack in January. The January attack affected almost 15,000 patients. St. Vincent Medical Center has not released any information on how many individuals were affected by this particular breach.
In response to the attack, St. Vincent Medical Center implemented further email security controls to block malicious emails along with multi-factor authentication. Employees have been trained on the dangers of phishing campaigns and best practices for spotting scam emails.