- Verity Health System has begun notifying more than 9,000 people that their personal information may have been breached by an unauthorized third party.
- The information included patient names, birth dates, medical record numbers, street addresses, email addresses, phone numbers and the last four digits of credit card numbers entered between 2010 and 2014.
- No evidence suggests that any information was actually used inappropriately, the company said Monday.
According to the Redwood City, CA-based hospital system, the incident took place sometime between October 2015 and this January and involved its Verity Medical Foundation-San Jose Medical Group website, which is no longer in use.
Officials said the company acted quickly to secure the website and enhance cyber protections so that similar events would not occur.
U.S. hospitals and health systems have been hit with a slew of cyberattacks and unauthorized breaches in recent years. In August, HHS’ Office for Civil Rights told regional offices to step up investigations of smaller breaches of personal health information (involving fewer than 500 people) to better identify entity-wide or industry-wide lapses in HIPAA compliance, as well as network vulnerabilities that leave them open to cyber and ransomware attacks.
Last month, Illinois-based Presence Health agreed to pay $475,000 and implement a corrective action plan after failing to promptly report a breach of unsecured protected personal health information.
Meanwhile, plaintiffs in a class action lawsuit against Anthem are seeking access to government documents from an audit they believe shows the insurer knew about IT security concerns before a 2015 breach that compromised data on 70 million to 80 million customers. The 2013 IT security audit was conducted by the U.S. Office of Personnel Management because Anthem is an administrator for the Federal Employees Health Benefit Program.
Faced with mounting cyberattacks, HHS awarded $250,000 to Ormond Beach, FL-based National Health Information Sharing and Analysis Center to provide cybersecurity information and education on cyber risks to hospitals and other industry stakeholders. A second award of $100,000 went to HHS’ Office of the Assistant Secretary for Preparedness and Response to develop a secure infrastructure for disseminating information about actual threats.