More than one million patients may have had their personal and health information compromised in a cybersecurity attack on UnityPoint Health earlier this year, officials said this week.
Approximately 1.4 million patients were notified Monday of a phishing email attack that had compromised the health care system’s business email system “and may have resulted in unauthorized access” to patients’ health and other personal information, according to a security notice that was mailed to patients Monday.
The information was contained in the body of an email or in attachments, such as reports.
The attack did not compromise the organization’s electronic health records, said UnityPoint Health spokeswoman Amy Varcoe. However, patient information that includes dates of birth, addresses, medical information, providers, dates of service and/or insurance information may have been in compromised emails.
Approximately 33 percent of the compromised accounts contained Social Security numbers and/or driver’s license numbers, Varcoe said. Less than 1 percent of the compromised accounts contained payment card or bank account information.
Varcoe said this incident is unrelated to the email phishing attack that hit the organization between Nov. 1, 2017, and Feb. 7 of this year that impacted about 16,000 patients.
“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred,” RaeAnn Isaacson, privacy officer at UnityPoint Health, said in a news release.
“While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information.”
ARTICLE CONTINUES BELOW ADVERTISEMENT
Officials, once they learned of the attack on May 31, informed law enforcement. They also began an investigation with a computer forensics business, which found the organization received a series of fraudulent emails — known as “phishing” — disguised to look like it had come from a UnityPoint Health executive.
The emails tricked some employees into providing their confidential sign-in information, giving attackers access to their internal email accounts between March 14 and April 3.
According to the security notice, these attacks typically are financially motivated, and the attack on UnityPoint Health likely was focused on diverting funds from the organization, then obtaining patient information.
Des Moines-based UnityPoint Health is offering free credit card monitoring for one year to individuals whose Social Security number and/or driver’s license number was included in the compromised emails.
Instructions on how to enroll will be mailed to eligible patients’ last known home address.
UnityPoint Health officials also encourage affected individuals to monitor their accounts for fraudulent or irregular activity on a regular basis.
UnityPoint Health has established a toll-free helpline at 1-888-266-9285 for patients to determine if they were affected by the attack. The line is open 8 a.m. to 8 p.m., Monday through Friday.
UnityPoint also has a page on its website containing frequently asked questions on the security notice. It can be read at unitypoint.org/security-faq.aspx.
l Comments: (319) 368-8536; firstname.lastname@example.org