1.4 million patient records breached in UnityPoint Health phishing attack
UnityPoint Health is notifying 1.4 million patients that their records may have been breached when its business system was compromised by a phishing attack.
According to the notice, the health system’s business email system was hit by a series of targeted phishing emails that looked like they were sent from an executive within UnityPoint. An employee fell victim to the emails, which gave hackers access to internal email accounts from March 14 until April 3.
Law enforcement and forensic investigators believe the attack was financially motivated. The investigation found the hackers were likely trying to use the email system to divert vendor or payroll payments. Officials said the EHR and billing systems weren’t impacted by the attack.
The hacked accounts included protected health information, including names, addresses, medical data, treatment information, lab results and/or insurance information. For some of the 1.4 million patients, their payment card and Social Security number were included in the breach.
UnityPoint reset the passwords on the compromised accounts, conducted mandatory phishing education for employees, added security tools to identify suspicious emails and implemented multi-factor authentication, officials said.
The breach is the largest in the U.S. this year by a landslide. LifeBridge reported a breach of 500,000 in May. And nearly 280,000 Oklahoma Medicaid patient records were breached in January. Singapore’s health system suffered a similar breach just a few weeks ago.
Data breaches and other pressing infosec matters will be among the topics that expert speakers address at the upcoming HIMSS Healthcare Security Forum, scheduled for Oct. 15-16 in Boston.