UnityPoint Health Notifies 1.4M Patients of Data Breach Caused by Phishing Attack

July 31, 2018
UnityPoint Health, a health system based in Des Moines, Ia., has let about 1.4 million patients know that their personal and health information may have been compromised, according to a press release from the organization.

UnityPoint Health, a health system based in Des Moines, Ia., has let about 1.4 million patients know that their personal and health information may have been compromised, according to a press release from the organization.

According to the release, on May 31, UnityPoint Health discovered that a phishing email attack had compromised its business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients.

A forensics investigation revealed that UnityPoint Health received a series of fraudulent emails that were disguised to appear to have come from a trusted executive within the organization. The phishing emails tricked some employees into providing their confidential sign-in information which gave attackers access to their internal email accounts between March 14 and April 3. Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients, according to UnityPoint Health officials.

"We take our responsibility to protect patient information very seriously and deeply regret this incident occurred," RaeAnn Isaacson, privacy officer, UnityPoint Health, said in a statement. "While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information."

Officials said that the phishing attack was more likely focused on diverting business funds like payroll or vendor payments, rather than on obtaining patient information.

Electronic medical record (EMR) and patient billing systems were not impacted by this attack, according to officials.  However, patient information that may have been in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For some individuals, information may have included a Social Security number and/or driver's license number. For a limited number of others, payment or bank information could have been breached.

The only unauthorized access to patient information may have occurred through compromised email accounts, where the information was contained in the body of an email or in attachments such as reports, officials asserted.

Sponsored Recommendations

2024's Healthcare Buyer Journey: New Research and Insights

Join us on April 30th for a webinar unveiling insights from the latest study on the Healthcare IT Buying Journey! Discover evolving challenges, effective health data management...

Improving care with AI-powered solutions

Don't miss our April 23rd webinar delving into the transformative impact of AI-powered solutions on healthcare. Join industry leaders Reid Conant and Dr. Patrick McGill as they...

Shield your health system against cyber threats

You won't want to miss out on this imperative April 4th webinar about how you can protect your healthcare organization. Join us to learn how to fortify your health system against...

Healthcare Trends 2024: Trends & Strategies for Future Success

Explore the future of healthcare in 2024 with insights from the Healthcare Industry Trends Report. Stay ahead of the curve as we delve into the latest industry developments and...