An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility’s executives.
The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from a senior member of staff.
VCRN were notified on or about Monday, December 30, that a cruel deception had taken place.
In a Notice of Data Privacy Incident statement published on VCRN’s website, the company stated: “The unauthorized actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information.”
Information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, including provider name and ID number for 674 patients.
VCRN said: “Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”
The medical center said that they weren’t aware of any personal patient information having been misused as a result of this event.
Becoming a victim of a phishing scam has led VCRN to review its cybersecurity practices.
The center said: “We take this incident and security of personal information in our care seriously. We moved quickly to investigate and respond to this incident, assess the security of relevant VCRN systems, and notify potentially affected individuals. This response included reviewing and enhancing our existing policies and procedures.”
VCRN has taken steps to notify all the patients who have potentially been impacted by the cyber-attack. A toll-free dedicated assistance phone line has been established for patients who wish to discuss any concerns they may have as a result of the incident.
The data breach has been reported to law enforcement and to the relevant regulatory authorities.
VCRN advised patients “to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”