Data of 1.4M UnityPoint Health patients at risk after phishing attack

Register now

A series of phishing attacks at UnityPoint Health tricked employees into providing confidential sign-in information for its email system.

The attacks, believed to have occurred from March 14 to April 3, gave attackers access to internal emails. The organization did not discover that its business email system had been compromised until May 31, and now about 1.4 million individuals are being notified of the network breach that may have provided access to their data.

The fraudulent mails were designed to appear to have come from a trusted executive at UnityPoint Health.

The compromised accounts could provide access to attachments to emails, and standard reports, related to healthcare operations, that included protected health information or personal information for patients, according a notification letter from the organization.

“Our investigation and outside experts’ review indicate that this series of phishing emails was part of an attack on our business email system,” the letter states. “According to computer forensic experts and law enforcement, these types of attacks are usually financially motivated. The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization, rather than on obtaining patient information. Based on our investigation, we believe the perpetrators were trying to use the email system to divert payroll or vendor payments.”

Consequently, electronic record systems and patient billing systems were not affected, and the only unauthorized access to patient data was through compromised email accounts.

Patient data at risk included names, addresses, dates of birth, medical record numbers, medical information, treatment and surgical information, diagnoses, lab results, medications, providers, dates of service and insurance information. For some patients, Social Security numbers, driver’s license numbers, payment card numbers or bank account numbers also were compromised.

In the aftermath of the attack, UnityPoint Health reset passwords for all compromised accounts, added software to identify suspicious external emails, implemented multi-factor authentication to verify user identities before accessing systems, and educated employees to recognize and avoid phishing emails.

Individuals with compromised Social Security numbers or driver’s license numbers will be offered one year of credit monitoring services. Unity Point gave all affected individuals information on protecting their medical identity.

A spokesperson at Unity Point Health was not available for additional comment on the incident.

For reprint and licensing requests for this article, click here.