Over 20,000 people’s data potentially compromised in phishing scam targeting Valley View Hospital
Phishing scam granted ‘unauthorized third party’ access to hospital emails
A phishing scam granted outside users access to four Valley View Hospital email accounts, potentially impacting the personal data of about 21,000 people, including hospital employees and patients, a Valley View spokesperson wrote in an email.
A Valley View news release Friday states the hospital learned in January that thousands of peoples’ personal information could have been accessed when an unauthorized third party gained access to several employees’ email accounts. An investigation followed, and it was determined March 29 that the accounts contained personal information that could have been compromised.
The access was obtained through malicious links embedded in emails disguised as legitimate correspondence from an employee within the company, otherwise known as a phishing scam, Valley View Chief Community Relations Officer Stacey Gavrell wrote in an email.
Phishing scams are typically the work of organized, well-funded and sometimes government-supported actors, Gavrell added.
“In the majority of cases, the personal information that could have been accessed consisted of a name and a birthday,” Gavrell wrote. “At this point we are not aware of any instance of any information leaving our system or anyone’s information being used in an unauthorized manner.”
As a precaution consistent with privacy laws, the hospital reported this incident to the state and to the Office of Health and Human Services, Gavrell wrote.
Following discovery of the security breach, Valley View secured the email accounts to prevent further unauthorized access and engaged a forensic security firm to investigate the incident and confirm the security of Valley View’s email and computer systems, a news release states.
Gavrell said Valley View is reaching out by mail to those whose information might have been impacted through the phishing scam.
Valley View also arranged for complimentary identity protection and credit monitoring services for those individuals whose Social Security numbers or driver’s license numbers were impacted, a news release states.
The notice is slated to include information on steps to protect people from fraud or identity theft. The hospital is also recommending people monitor their credit reports, account statements and benefit statements for inconsistencies that could be indicative of identity theft or fraud, a news release states.
“Valley View takes its responsibility to safeguard personal information seriously,” Gavrell said in a news release. “We apologize for any inconvenience or concern this incident might cause.”
The hospital is taking steps to mitigate risks of future scams, such as changing email security and providing cybersecurity education for its staff, Gavrell wrote.
Learn more about identity theft protection at http://www.ftc.gov/idtheft or by calling the Federal Trade Commission at 877-438-4338.
Reporter Ike Fredregill can be reached at 970-384-9154 or by email at email@example.com.