Rogue Employee of a Vendor Accesses UnityPoint EHRs

UnityPoint Health, formerly Iowa Health System, is notifying about 1,800 hospital patients across multiple regions of the delivery system after an unauthorized employee of a third-party vendor accessed its electronic health records system using passwords of authorized users.

The breach was discovered during a regular security audit in August at UnityPoint when a pattern of unusual access to certain data was detected, according to a statement from the organization. A law enforcement investigation continues.

Unauthorized access occurred from February through August. Compromised data included patient name, home address, date of birth, medical and insurance account numbers, and treatment information. Less than 10 percent of affected individuals also had a Social Security and/or Driver’s License number compromised. Information on the financially responsible party was breached for four patients.

UnityPoint is offering all affected individuals 12 months of credit monitoring services through Experian. The delivery system is reeducating EHR users on safeguarding passwords and implementing additional audits.