Phishing attack impacts 326,000 patients of UCONN Health

A class action lawsuit has been filed following a huge data breach at the University of Connecticut and UCONN Health that affected more than 300,000 current and former patients.

On February 25, 2019, UCONN announced that a hacker had gained access to several employee email accounts via a phishing attack in which employees click on an email that appears to come from a trusted source but is laden with malware.

Protected health information that was compromised included patient names, dates of birth, addresses, medical information as well as an undisclosed number of Social Security numbers.

Plaintiff Yoselin Martinez, a patient and resident in New London, Connecticut, brought the lawsuit against the University of Connecticut and UCONN Health. Martinez received a data breach notification letter and soon after she checked her bank account and found it had been placed into overdraft. A bank representative told Martinez that the charge was the result of a fraudulent transaction on her account.

“In addition to the fraudulent activity currently affecting Ms. Martinez as a result of the breach, she will continue to be at heightened risk for financial fraud and identity theft and their attendant damages for years to come,” the lawsuit states.

Following a forensic evaluation, UCONN Health acknowledged that protected information was first compromised in August 2018, according to the lawsuit, but the breach was not discovered until December 24, 2018—and, patients were not notified until two months later.

At this point, UCONN is not aware of any fraud or identity theft to any individual and does not know if any personal information was viewed or acquired by the unauthorized party, the organization told patients in the breach notification letter. “Nevertheless, because we cannot isolate exactly what, if any, information may have been accessed, we notified individuals whose information was in the impacted accounts. The incident had no impact on our computer networks or electronic medical record systems.”

Also See: How regular phishing drills keep providers’ data safe

UCONN Health is offering identity theft protection services to individuals whose Social Security numbers may be impacted. Other individuals were given information on regularly monitoring credit reports, account statements and benefit statements, and to promptly report any suspicious activity to appropriate law enforcement authorities. Affected individuals also received fraud prevention tips from the Federal Trade Commission.

uconnstudents.jpg

“We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern,” UCONN Health told patients. “We have taken and will continue to take steps to help prevent something like this from happening again, including evaluation of additional platforms for educating staff and reviewing technical controls.”

The lawsuit emphasizes the risks that Martinez and other individuals face.

“Plaintiff and class members seek to remedy the harms caused by the data breach and have a significant interest in ensuring that their protected information, which remains in UCONN’s possession, is protected from further breaches,” the lawsuit notes. “No one can know what else the cyber criminals will do with the compromised information. However, what is known is that UCONN Health patients will be for the rest of their lives at a heightened risk of further identity theft and fraud.”

The complete lawsuit is available here.

For reprint and licensing requests for this article, click here.