UnityPoint Health Notifies 1.4M Patients of Data Breach Caused by Phishing Attack

July 31, 2018
UnityPoint Health, a health system based in Des Moines, Ia., has let about 1.4 million patients know that their personal and health information may have been compromised, according to a press release from the organization.

UnityPoint Health, a health system based in Des Moines, Ia., has let about 1.4 million patients know that their personal and health information may have been compromised, according to a press release from the organization.

According to the release, on May 31, UnityPoint Health discovered that a phishing email attack had compromised its business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients.

A forensics investigation revealed that UnityPoint Health received a series of fraudulent emails that were disguised to appear to have come from a trusted executive within the organization. The phishing emails tricked some employees into providing their confidential sign-in information which gave attackers access to their internal email accounts between March 14 and April 3. Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients, according to UnityPoint Health officials.

"We take our responsibility to protect patient information very seriously and deeply regret this incident occurred," RaeAnn Isaacson, privacy officer, UnityPoint Health, said in a statement. "While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information."

Officials said that the phishing attack was more likely focused on diverting business funds like payroll or vendor payments, rather than on obtaining patient information.

Electronic medical record (EMR) and patient billing systems were not impacted by this attack, according to officials.  However, patient information that may have been in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For some individuals, information may have included a Social Security number and/or driver's license number. For a limited number of others, payment or bank information could have been breached.

The only unauthorized access to patient information may have occurred through compromised email accounts, where the information was contained in the body of an email or in attachments such as reports, officials asserted.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?