Posted in Breaches

UnityPoint Health reports massive phishing attack

Chris Nerney
Chris Nerney, Contributing Writer |
UnityPoint Health reports massive phishing attack

A Midwest health system is notifying 1.4 million patients that their “protected health information and other personal information” may have been exposed in an email phishing attack four months ago.
The attack on Iowa-based UnityPoint Health is the largest healthcare breach in the U.S. in 2018. UnityPoint also was the victim of a smaller phishing attack in April that breached the electronic records of 16,000 patients.
UnityPoint on Monday mailed letters to patients explaining that it discovered the phishing email attack on May 31. The health system said it notified law enforcement and launched a forensic probe to determine “the size and scope of the attack, as well as the number of people potentially impacted.”
“The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization, rather than on obtaining patient information,” the provider said in a press release. “Based on our investigation, we believe the perpetrators were trying to use the email system to divert payroll or vendor payments.”
They attempted to do so by sending fraudulent emails to UnityPoint employees that appeared to have come from an executive in the organization – classic social engineering.
The phishing emails tricked some of our employees into providing confidential sign-in information, giving attackers access to internal email accounts between March 14 and April 3.
“Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients,” UnityPoint said. “While unauthorized access to patient information may have occurred, no known or attempted misuse of patient information has been reported at this time.”
While electronic medical record and patient billing systems were not impacted by the attack, UnityPoint said, information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information.
For some individuals, exposed information also may have included a Social Security number and/or driver’s license number. For a limited number of individuals, information may also have included payment card or bank account numbers.
In addition to the letter to patients, UnityPoint said it has:

  • Reset passwords for all compromised accounts
  • Conducted mandatory education for our employees to help them recognize and avoid phishing emails
  • Added technology to identify suspicious external emails
  • Implemented multi-factor authentication, requiring users to go through multiple steps to verify their identity

Through the first five months of this year, provider organizations had reported 149 breaches impacting more than 2.8 million patients, according to a study by Fortified Health Security. Email attacks comprised 28 percent of those breaches, the study said.
Healthcare data breaches cost an average of $408 per record, according to the 2018 Cost of a Data Breach Report by IBM and the Ponemon Institute. That’s nearly twice as much as the runner-up (financial services at $206 per record), and nearly triple the average across all industries of $148 per record.