A phishing attack on UnityPoint Health has allowed hackers to gain access to the protected health information (PHI) of 1.4 million patients. This incident is the largest data breach to affect a healthcare organization so far this year, affecting twice as many individuals as the breach at the California Department of Developmental Services.
This is the largest phishing incident reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) began publicizing data breaches in 2009. It is also the largest healthcare data breach of any description since August 2016 when Newkirk Products, Inc. reported its 3,466,120-record breach.
UnityPoint Health detected the phishing attack on May 31, 2018. According to the forensic investigation, multiple email accounts were compromised from March 14 to April 3, 2018. Employees were fooled by highly convincing emails in which a trusted member of the organization was impersonated.
In business email compromise scams, hackers gain access to a senior executive’s email account and use it to send internal emails instructing employees to provide data like W-2 Forms or make fraudulent wire transfers. But, it is not always necessary to have access to an executive’s email account to conduct a successful phishing campaign. Spoofing an email address can be just as effective, as was the case in this attack.
A third-party computer forensics company was retained by UnityPoint Health to assist with the breach investigation. According to the investigators, the purpose of the attack was to redirect vendor payments and payroll money to the attacker’s accounts. However, the email accounts did contain a wide range of protected health information which could have been stolen.
The patients affected had varying types of information compromised including names, birth dates, addresses, health record numbers, diagnosis details, treatment details, laboratory test results, health insurance details, surgery information, names of providers, dates of service, Social Security numbers and driver’s license numbers. For some patients, financial data such as credit card numbers may have been exposed. UnityPoint Health has offered the patients whose financial information, driver’s license numbers and Social Security numbers were exposed one year of credit monitoring services.
This is the second UnityPoint Health phishing attack to have been reported in 2018. In April, UnityPoint Health announced that several email accounts were compromised and the PHI of 16,400 patients had been exposed. Unauthorized persons had accessed the employees’ email accounts from November 1, 2017 to February 7, 2018. Following that attack, UnityPoint Health said it had implemented added security controls to avoid further attacks but they clearly proved ineffective.
This second phishing attack has prompted UnityPoint Health to implement further security controls, including two-factor authentication on email accounts and technological solutions to identify suspicious emails from outside the organization. Employees had has been given additional HIPAA staff training to help them recognize phishing scams.