UnityPoint Health’s 1.4 Million Records Breached
UnityPoint Health has recently released an FAQ page in connection with the phishing attack that the healthcare company encountered almost 3 months ago. The internal email accounts were hacked from March 14, 2018, to April 3, 2018, but only discovered last May 31, 2018. Their further investigation showed that some of their employees were already phished, releasing confidential information about the patients. An estimated 1.4 million patient records have been released to unknown third parties.
“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred. While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation and what patients can do to help protect their information,” RaeAnn Isaacson, UnityPoint Health’s Privacy Officer stressed.
UnityPoint has claimed that they are coordinating with law enforcement officials with its parallel investigations. Their employees were scammed with phishing emails, losing their email credentials in the process. Other than patient records, non-medical personally identifiable information like driver’s license numbers and Social Security Numbers.
The report emphasized: “Patient information that may have been in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For some individuals, information may have included a Social Security number and/or driver’s license number. For a limited number of individuals, information may also have included payment card or bank account numbers. While unauthorized access to patient information may have occurred, no known or attempted misuse of patient information has been reported as a result of this incident at this time.”
The victims of the data breach were contacted by UnityPoint and offers of free credit monitoring services for one year as they are vulnerable to identity theft. The healthcare firm also provided a hotline for patients to call in the event they have queries (888) 266-9285.
“We continue to work closely with leading experts to learn from our experience and help our organization — and other healthcare organizations — prevent these kinds of cybercrimes,” Isaacson added.
The company stressed that only certain patients records are covered, as available from the email accounts that got infiltrated by the phishing attack. The UnityPoint Health report further said: “Electronic medical record and patient billing systems were not impacted by this attack. The only unauthorized access to patient information may have occurred through compromised email accounts, where the information was contained in the body of an email or in attachments such as reports. It is common and appropriate for patient information to be shared through business email between employees authorized to use it as part of their work to support patient care. Business reports are created for a variety of purposes, including to track payments from patients’ primary insurance carriers or to contact patients regarding follow-up appointments.”
UnityPoint Health is a mainstream non-profit healthcare organization in the United States. They have hospital facilities in Wisconsin, Iowa and Illinois.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.