5,000+ Individuals Impacted by Phishing Attacks on Phoenix Children’s Hospital, VillageCareMAX and VillageCare Rehabilitative and Nursing Center

Village Senior Services Corporation, also known as VillageCareMAX (VCMAX), and Village Center for Care, also known as VillageCare Rehabilitative and Nursing Center (VRNC), experienced a business email compromise (BEC) attack. During a BEC attack, a threat actor impersonates an executive. It could be by accessing the executive’s real email account that was previously compromised in an attack or it could be spoofing the email address of an executive.

The sensitive data of VCMAX members and VRNC patients was requested by an unauthorized individual pretending to be an executive staff member. An employee thought it was a legitimate request and responded by giving the asked for information. On December 30, 2019, VCMAX and VRNC got a notice that there was a potential BEC attack.

Investigation of the incident confirmed the bogus request and the impermissible disclosure of sensitive information of VCMAX members and VRNC patients. The compromised data in the email account included the Medicaid ID numbers and names of 2,645 VCMAX members and the first and last names, dates of birth, names of the insurer, and Insurance ID numbers of 674 VRNC patients.

No report has been received regarding cases of personal data misuse, nevertheless, the instruction to all impacted persons was to be watchful and keep track of explanation of benefits statements, accounts and credit reports for evidence of bogus activities. A review of the policies and procedures by VCMAX and VRNC is ongoing and improvements will be implemented to avert identical attacks later on.

Phoenix Children’s Hospital Phishing Attack

Phoenix Children’s Hospital had a targeted phishing attack from September 5 to September 20, 2019, which brought about the breach of seven hospital employees’ email accounts.

After knowing that a breach occurred, a well-known computer forensic company was appointed to look into the scope of the breach. On November 15, 2019, it was confirmed that the compromised email accounts contained 1,860 past and present patients’ protected health information (PHI). It’s possible that the attackers have accessed or downloaded the information, which included names, personal information, and Social Security numbers along with some medical information for certain patients.

Phoenix Children’s Hospital mailed breach notification letters to the impacted patients beginning January 14, 2020. The hospital at the same time offered the patients who had potentially compromised Social Security numbers free credit monitoring and identity theft protection services.