by John R. Fischer
, Senior Reporter | August 02, 2018
The protected health information of approximately 1.4 million individuals cared for by UnityPoint Health in Iowa, western Illinois and southern Wisconsin may have been compromised by an email phishing scam found within its business email system.
Discovered in May, the news was disclosed this week in letters sent out to patients, explaining that attackers gained access to the system under the guise of what was thought to be a trusted employee within the organization who messaged and tricked staff members into providing confidential sign-in information. The attack is the second to rock the health system in months, following another email phishing scam disclosed in April that may have impacted approximately 16,400 patients.
“We have worked to identify the problem, secure our systems and minimize the risk of this kind of criminal attack affecting our organization again,” Amy Varcoe, a spokesperson for UnityPoint Health, told HCB News. “Our immediate priority is to make sure our patients and the communities we serve get the answers they need.”
Following the discovery, the provider informed law enforcement agencies and has since launched an investigation into the matter with a computer forensics firm to determine the size and scope of the attack, and those potentially impacted.
Unauthorized access of internal email accounts took place between March 14 and April 3, with those compromised consisting of standard reports on healthcare operations and containing protected health information and personal information for certain patients that was communicated between staff in the form of emails and attachments.
Specific information that may have been compromised includes patient names as well as addresses, dates of birth, and medical information pertaining to treatment, surgery, record numbers, diagnoses, lab results, dates of service, medications, providers and insurance information.
Social security and driver license numbers may also have been affected, as well as card information and bank account numbers for a limited number of patients. Breaches were not found in the provider’s electronic medical records and patient billing systems.
Though no known or attempted misuse of patient data has been reported at this time, patients are advised to review account statements for fraudulent or irregular activity, including statements for explanation of benefits, and to report any items not recognized to their insurance and care providers.