Patient information that might have been compromised included patient names, addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service, and/or insurance information.
For some individuals, information may have included a Social Security number, driver's license number, credit and debit numbers, and bank account numbers. Electronic medical record and patient billing systems were not involved in the attack, stressed UnityPoint.
UnityPoint Health said it discovered on May 31 that a phishing attack had compromised its business email system and may have resulted in unauthorized access to PHI and other personal information for patients.
UnityPoint Health then informed law enforcement agencies and launched an investigation with a computer forensics firm to determine the size and scope of the attack, as well as the number of people potentially impacted.
The forensics investigation revealed that phishing emails tricked some employees into providing their confidential sign-in information, which enabled attackers to access internal email accounts between March 14, 2018, and April 3, 2018.
Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing PHI and other personal information for certain patients.
“While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information,” said UnityPoint Health Privacy Officer RaeAnn Isaacson.
UnityPoint Health is offering free credit monitoring services for one year to individuals whose Social Security number and/or driver's license number were included in the compromised email accounts.
To prevent a future attack from succeeding, UnityPoint said it was taking the following actions:
- Resetting passwords for all compromised accounts to prevent further unauthorized access
- Conducting mandatory training for employees to help them recognize and avoid phishing emails
- Adding technology to identify suspicious external emails
- Implementing multifactor authentication
This is not the first successful phishing attack carried out against UnityPoint this year. In April, UnityPoint admitted that a phishing attack compromised employee email accounts and led to the exposure of PHI of 16,429 patients. The company said it discovered the breach on February 15 and determined that the breach occurred between November 1, 2017, and February 7, 2018. It began notifying patients on April 16.
The PHI included dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service, and insurance information. For some patients, their Social Security numbers and financial information may also have been exposed.
In response to the earlier breach, a class action lawsuit was filed in US District Court in Madison, Wisconsin. The lawsuit argued that UnityPoint, which operates Meriter Hospital in Madison, waited more than two months after the breach was discovered before notifying the public and regulators.
Yvonne Mart Fox of Middleton, Wisconsin, the lead plaintiff, said that she began noticing an increase in the number of robocalls on her cellphone and landline and spam emails in early 2018. She said that she has experienced daily anger and sleep disruption because of the data breach.
After receiving UnityPoint’s letter, she called the company and was told to take steps to protect her information. She asked if UnityPoint would pay for any of those steps but did not get an answer. After a number of calls, UnityPoint said that no compensation would be provided.
The lawsuit is seeking compensatory, punitive, and other damages from UnityPoint along with restitution to affected patients.