Hackers access UC Health employees’ email accounts in phishing attack
UC Health suffered a phishing attack in early July that led to unauthorized access to several employee email accounts.
The health system, which serves the greater Cincinnati and Northern Kentucky metropolitan area, reported that the accounts were infiltrated between July 6 and July 12.
After the breach was discovered, the organization secured accounts and launched an investigation that continues with the help of a data forensics firm. The investigation, however, has been unable to determine whether the hacker actually viewed emails or attachments to the affected emails.
UC Health issued a proactive notice that is unusual, considering the organization is not yet formally notifying patients. The organization now is reviewing emails and attachments in the accounts to identify patients whose protected health information may have been accessible to the hacker. An early look at information at risk includes data such as patient names, dates of birth, medical record numbers and clinical information.
“UC Health continues to investigate this incident and anticipates notifying patients in the coming weeks,” UC Health told patients and regulators. “Although UC Health has no indication that any patient information has been misused, in an abundance of caution UC Health has established a call center for patients to call with questions.”
The organization urged patients to review statements from their providers and to contact providers immediately if they see services on statements that were not rendered.
As is becoming more common at the suggestion of the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, UC Health apologized to affected individuals. “UC Health takes the privacy and security of its patients’ very seriously and deeply regrets any inconvenience this incident may cause its patients. To help prevent something like this from happening again, UC Health is enhancing its email security by reinforcing education with employees on how to identify and avoid malicious emails.”
The organization will be sending information to HHS which will include details of the attack and the number of affected individuals, and a formal patient notification process will commence.