1.4 million patient records breached in UnityPoint Health phishing attack

This is the second breach for the health system this year, and the biggest health data breach of 2018 in the U.S.
By Jessica Davis
11:56 AM
Share
UnityPoint Health phishing attack

Unitypoint Health's Meriter Hospital in Madison, Wisconsin. Credit: Google Maps

UnityPoint Health is notifying 1.4 million patients that their records may have been breached when its business system was compromised by a phishing attack.

This is the second breach for UnityPoint this year. In April, another phishing attack on staff email accounts at its Madison campus breached the data of 16,000 patients.

According to the notice, the health system’s business email system was hit by a series of targeted phishing emails that looked like they were sent from an executive within UnityPoint. An employee fell victim to the emails, which gave hackers access to internal email accounts from March 14 until April 3.

[Also: The biggest healthcare data breaches of 2018 (so far)]

Law enforcement and forensic investigators believe the attack was financially motivated. The investigation found the hackers were likely trying to use the email system to divert vendor or payroll payments. Officials said the EHR and billing systems weren’t impacted by the attack.

The hacked accounts included protected health information, including names, addresses, medical data, treatment information, lab results and/or insurance information. For some of the 1.4 million patients, their payment card and Social Security number were included in the breach.

UnityPoint reset the passwords on the compromised accounts, conducted mandatory phishing education for employees, added security tools to identify suspicious emails and implemented multi-factor authentication, officials said.

The breach is the largest in the U.S. this year by a landslide. LifeBridge reported a breach of 500,000 in May. And nearly 280,000 Oklahoma Medicaid patient records were breached in January. Singapore’s health system suffered a similar breach just a few weeks ago.

Data breaches and other pressing infosec matters will be among the topics that expert speakers address at the upcoming HIMSS Healthcare Security Forum, scheduled for Oct. 15-16 in Boston. 

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com