DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Seton Family Health notifying 39,000 patients after employee falls for phish; Second Ascension Health member to report breach this week (Update2)

Posted on April 25, 2015 by Dissent

Is Ascension Health being targeted by attackers successfully acquiring employee e-mail account logins via phishing?  (Update 2: It seems they are. See this post after reading the one below.)

Zach Lozano reports that Seton Family of Hospitals will provide free identity monitoring and protection services for patients who had their personal information leaked in a phishing attack targeting employee emails:

Approximately 39,000 patients received letters about the breach in which hackers accessed protected patient information, including demographic information, medical record numbers, insurance information and Social Security numbers. Seton was notified of the breach on Feb. 26.

Well, that last statement is not quite accurate, as I’ll explain below, but you can read the rest of his report on KXAN.

In looking into this incident, I became suspicious when I noted that Seton is  part of Ascension Health. This past week, another Ascension member, St. Vincent Medical Group in Indiana, also reported a phishing attack but they learned of theirs on December 3, not in February. So I started digging more, wondering if Ascension hospitals are being targeted just as we saw both Baylor facilities and Franciscan Health/Catholic Health Initiatives facilities being targeted by phishing attacks. And sure enough, I found a notice on Seton’s site that reports that they actually became aware of the phishing attack on December 4 – the day after St. Vincent’s learned of their breach. Seton’s notification is basically the same as St. Vincent’s  notification after adjusting for date of discovery and number affected. Here’s the main part of Seton’s notice:

The privacy and security of patient information is of utmost importance to Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”), and Seton has implemented significant security measures to protect such information. Regrettably, despite the efforts to safeguard patient information, an email phishing attack has affected Seton’s patients.

Seton experienced an email phishing attack on December 4, 2014, which targeted the user names and passwords of Seton employees. Upon the determination that an email account had been compromised, the user name and password was immediately shut down. Seton launched an investigation into the matter, and the investigation has required electronic and manual review of affected e-mails to determine the scope of the incident. Seton engaged computer forensics experts to assist with the investigation. Through the ongoing investigation of this matter, we determined on February 26, 2015, that the employee e-mail accounts subject to the phishing attempt contained some personal health information for approximately 39,000 patients.

The personal health information in the e-mail accounts included demographic information (i.e., name, address, gender, date of birth, etc.), medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers. The hackers did not gain access to individual medical records or billing records.

[…]

I wonder whether we’ll learn that other Ascension Health members have been similarly targeted. Ascension Health describes itself as the largest non-profit health system in the U.S., with 131 hospitals.  As their site also indicates, Ascension Information Services (“AIS”) was formed as a nonprofit corporation in 2005, and AIS provides information technology infrastructure and software application support services to all member entities of Ascension. But who provides the training to employees how to not fall for phishing attempts?

Updated: DataBreaches.net reached out to Ascension Health to ask them whether there were more than two hospitals that have had recent phishing incidents like those reported by the two hospitals mentioned in this post. DataBreaches.net also asked Ascension Health what it was doing to boost security.

Ascension Health did not respond at all to the first inquiry, so it was re-sent.

This time, they replied. Their reply?

“We’re going to pass. Thanks.”

Related posts:

  • Seton Healthcare Family notifies 5,500 patients of breach involving stolen laptop (CORRECTED)
  • Updating: CaptureRx incident impacted more than 2.4 million. List of Entities.
  • And then there were three (Ascension Health entities breached)
Category: Health DataMalwareU.S.

Post navigation

← CA: Mail Sent To DMV Offices In Riverside Stolen
Medical pot users try class action after Health Canada privacy breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people
  • Terrible tales of opsec oversights: How cybercrooks get themselves caught
  • International Criminal Court hit with cyber attack during NATO summit
  • Pembroke Regional Hospital reported canceling appointments due to service delays from “an incident”
  • Iran-linked hackers threaten to release emails allegedly stolen from Trump associates
  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.