An employee at the VillageCare Rehabilitation and Nursing Center (VCRN) was tricked into providing patient information to a threat actor.
In a Notice of Data Privacy Incident, the New York City medical center explained that on December 30, an employee received a suspicious email from an unauthorised actor impersonating a member of the executive team.
The actor was requesting specific information related to VCRN patients, to which the employee believing the request to be legitimate provided the information.
Information potentially obtained by the threat actor included first and last names, dates of birth and medical insurance information including ID number and provider name for 674 patients.
“Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event,” said VCRN.
VCRN has noted that it is currently unaware of any misuse of patient information.
As a result of the incident, VCRN has notified potentially affected individuals. In addition, the medical center has assessed the security of relevant VCRN systems, and is currently reviewing and enhancing existing policies and procedures.
Law enforcement and regulatory authorities have been alerted about the incident.
VCRN has advised patients to “remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”
The post #Privacy: NY City medical center tricked into sharing patient info appeared first on PrivSec Report.