Phishing Attacks on VillageCareMAX, VillageCare Rehabilitative and Nursing Center and Phoenix Children’s Hospital

Village Senior Services Corporation also called VillageCareMAX (VCMAX) and Village Center for Care also called VillageCare Rehabilitative and Nursing Center (VRNC) encountered a business email compromise (BEC) attack. The threat actors behind BEC attacks impersonate an executive, either by utilizing the genuine email account of an executive that was compromised in a past attack or through spoofing the email address of the executive.

An unauthorized person pretended to be a member of the executive staff and asked for sensitive data of VCMAX members and VRNC patients. An employee was convinced that the request is legitimate and responded by giving the requested information. On or around December 30, 2019, VCMAX and VRNC received notification about the potential BEC attack.

It was confirmed by the investigators that the request was not legitimate and sensitive data of VCMAX members and VRNC patients were impermissibly disclosed. The data sent through email contained 2,645 VCMAX members Medicaid ID numbers and names and 674 VRNC patients’ first and last names, birth dates, insurance company names, and Insurance ID numbers.

There were no reported cases of personal information misuse, however, all affected persons were instructed to be cautious and monitor accounts, explanation of benefits statements and credit reports for indications of bogus transactions. VCMAX and VRNC are going over and improving their policies and procedures to avoid more similar attacks in the future.

Phishing Attack on Phoenix Children’s Hospital

A targeted phishing attack on Phoenix Children’s Hospital from September 5 to September 20, 2019 resulted in the compromise of the email accounts of seven hospital employees.

After becoming aware of the breach, a prominent computer forensic company was hired to investigate the magnitude of the breach. On November 15, 2019, the hospital found out that the compromised email accounts hold the protected health information (PHI) of 1,860 past and present patients, which the attackers might have viewed or downloaded.

The patient data contained in the accounts included their names and personal data. The Social Security numbers and some health data of some patients were also included.

Phoenix Children’s Hospital began sending notification letters to the affected patients via mail on January 14, 2020. The hospital also offered free credit monitoring and identity theft protection services to patients who had their Social Security number potentially compromised.