It has been discovered that a number of email accounts of staff members of UnityPoint Health have been accessed by unauthorized individuals.
Staff email accounts were first accessed on November 1, 2017 and went on for a duration of three months, ending on February 7, 2018, when the phishing attack was discovered and access to the compromised email accounts was disabled.
After detecting the phishing attack, UnityPoint Health hired the services of a computer forensics firm to review the extent of the breach and the number of patients who had their email accounts accessed. The investigation showed that a wide range of protected health information may have been gained by the cyber attackers, which detailed names along with one or more of the following data elements:
- Medical record number
- Date of birth
- Service dates
- Treatment information
- Surgical information
- Laboratory test results
- Provider details
- Insurance particulars
The data violation has not showed up on the Department of Health and Human Services’ breach online portal, so it remains unclear exactly how many patients had their email accounts compromised by the breach. Official notifications were sent to staff members affected by the breach, beginning today.
There have been no reports of any health information being used inadvertently. However, since private health information may have been obtained by the cyber attackers, UnityPoint Health has indicated that impacted individuals should employ measures to safeguard their data. Those measures looking over insurers’ Explanation of Benefits statements, keeping a close eye on accounts for fraudulent behaviour, and contacting insurers for a complete list of all medical services paid under their insurance policy and to carefully monitor the list for any services that have not been received.
The hacking incident has lead to UnityPoint Health to enhance security controls to avoid similar incidents from being felt in the future.