Data breach at Verity Health could have affected 10,000 patients

Andrei Soran, now chief executive of Verity Health, shown in an earlier job. Andrei Soran, now chief executive of Verity Health, shown in an earlier job. Photo: Boston Globe, Boston Globe Via Getty Images Photo: Boston Globe, Boston Globe Via Getty Images Image 1 of / 1 Caption Close Data breach at Verity Health could have affected 10,000 patients 1 / 1 Back to Gallery

The personal information of more than 10,000 patients of Verity Health may have been compromised after the website of the Redwood City health system was hacked.

The information included patient names, dates of birth, addresses, email addresses, phone numbers, medical record numbers and the last four digits of credit card numbers, dated between 2010 and 2014, Verity said. It did not include Social Security numbers. Verity is notifying the affected patients by mail.

On Jan. 6, company officials detected an unauthorized breach on the Verity Medical Foundation-San Jose Medical Group website, which has since been shut down. An internal investigation showed the breach happened between October 2015 and January 2017.

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

There is no evidence that the information has been used in an unauthorized fashion, the company said Tuesday.

It is the third-largest breach of health information reported in 2017 in terms of the number of patients affected, according to the Department of Health and Human Services Office for Civil Rights, which tracks hacking incidents of health systems affecting 500 or more people. This year, 24 such incidents have been reported to the department.

“Verity Health System takes the security of our patients’ information seriously, and we regret that this incident occurred,” CEO Andrei Soran said in a statement. “We took immediate steps to investigate this incident, notify the affected individuals and appropriate authorities, and ensure enhanced protection of our information systems.”

Verity Health runs six hospitals, including Seton in Daly City, Seton Coastside in Moss Beach, O’Connor in San Jose, St. Louise in Gilroy and two in Southern California. It also includes Verity Medical Foundation and Verity Physician Network. The health system was known as Daughters of Charity before it was taken over by investment firm BlueMountain Capital Management in 2016.

Verity is offering free credit monitoring services for affected patients for one year, and has set up a call center to answer questions.

Catherine Ho is a San Francisco Chronicle staff writer. Email: cho@sfchronicle.com Twitter: Cat__Ho