UnityPoint Health Notifies 1.4M Patients of Data Breach Caused by Phishing Attack

UnityPoint Health, a health system based in Des Moines, Ia., has let about 1.4 million patients know that their personal and health information may have been compromised, according to a press release from the organization.

According to the release, on May 31, UnityPoint Health discovered that a phishing email attack had compromised its business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients.

A forensics investigation revealed that UnityPoint Health received a series of fraudulent emails that were disguised to appear to have come from a trusted executive within the organization. The phishing emails tricked some employees into providing their confidential sign-in information which gave attackers access to their internal email accounts between March 14 and April 3. Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients, according to UnityPoint Health officials.

"We take our responsibility to protect patient information very seriously and deeply regret this incident occurred," RaeAnn Isaacson, privacy officer, UnityPoint Health, said in a statement. "While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information."

Officials said that the phishing attack was more likely focused on diverting business funds like payroll or vendor payments, rather than on obtaining patient information.

Electronic medical record (EMR) and patient billing systems were not impacted by this attack, according to officials.  However, patient information that may have been in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For some individuals, information may have included a Social Security number and/or driver's license number. For a limited number of others, payment or bank information could have been breached.

The only unauthorized access to patient information may have occurred through compromised email accounts, where the information was contained in the body of an email or in attachments such as reports, officials asserted.