DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Seton Family Health notifying 39,000 patients after employee falls for phish; Second Ascension Health member to report breach this week (Update2)

Posted on April 25, 2015 by Dissent

Is Ascension Health being targeted by attackers successfully acquiring employee e-mail account logins via phishing?  (Update 2: It seems they are. See this post after reading the one below.)

Zach Lozano reports that Seton Family of Hospitals will provide free identity monitoring and protection services for patients who had their personal information leaked in a phishing attack targeting employee emails:

Approximately 39,000 patients received letters about the breach in which hackers accessed protected patient information, including demographic information, medical record numbers, insurance information and Social Security numbers. Seton was notified of the breach on Feb. 26.

Well, that last statement is not quite accurate, as I’ll explain below, but you can read the rest of his report on KXAN.

In looking into this incident, I became suspicious when I noted that Seton is  part of Ascension Health. This past week, another Ascension member, St. Vincent Medical Group in Indiana, also reported a phishing attack but they learned of theirs on December 3, not in February. So I started digging more, wondering if Ascension hospitals are being targeted just as we saw both Baylor facilities and Franciscan Health/Catholic Health Initiatives facilities being targeted by phishing attacks. And sure enough, I found a notice on Seton’s site that reports that they actually became aware of the phishing attack on December 4 – the day after St. Vincent’s learned of their breach. Seton’s notification is basically the same as St. Vincent’s  notification after adjusting for date of discovery and number affected. Here’s the main part of Seton’s notice:

The privacy and security of patient information is of utmost importance to Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”), and Seton has implemented significant security measures to protect such information. Regrettably, despite the efforts to safeguard patient information, an email phishing attack has affected Seton’s patients.

Seton experienced an email phishing attack on December 4, 2014, which targeted the user names and passwords of Seton employees. Upon the determination that an email account had been compromised, the user name and password was immediately shut down. Seton launched an investigation into the matter, and the investigation has required electronic and manual review of affected e-mails to determine the scope of the incident. Seton engaged computer forensics experts to assist with the investigation. Through the ongoing investigation of this matter, we determined on February 26, 2015, that the employee e-mail accounts subject to the phishing attempt contained some personal health information for approximately 39,000 patients.

The personal health information in the e-mail accounts included demographic information (i.e., name, address, gender, date of birth, etc.), medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers. The hackers did not gain access to individual medical records or billing records.

[…]

I wonder whether we’ll learn that other Ascension Health members have been similarly targeted. Ascension Health describes itself as the largest non-profit health system in the U.S., with 131 hospitals.  As their site also indicates, Ascension Information Services (“AIS”) was formed as a nonprofit corporation in 2005, and AIS provides information technology infrastructure and software application support services to all member entities of Ascension. But who provides the training to employees how to not fall for phishing attempts?

Updated: DataBreaches.net reached out to Ascension Health to ask them whether there were more than two hospitals that have had recent phishing incidents like those reported by the two hospitals mentioned in this post. DataBreaches.net also asked Ascension Health what it was doing to boost security.

Ascension Health did not respond at all to the first inquiry, so it was re-sent.

This time, they replied. Their reply?

“We’re going to pass. Thanks.”

Category: Health DataMalwareU.S.

Post navigation

← CA: Mail Sent To DMV Offices In Riverside Stolen
Medical pot users try class action after Health Canada privacy breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.