UnityPoint Health Phishing Attack May Have Impacted 1.4 Million Patients

by | Aug 5, 2018

A huge UnityPoint Health phishing attack has been reported to the HHS’ Office for Civil Rights (OCR) , one in which the protected health information of up to 1.4 million patients could have been obtained by cyber criminals.

So far, this phishing incident is the comfortably the largest healthcare data breach of 2018 registered, involving more than double the number of healthcare records as the California Department of Developmental Services data breach seen in April.

Additionally, this is also the biggest phishing incident to be reported by a healthcare provider since the OCR began publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.

The UnityPoint Health phishing attack was discovered on May 31, 2018. A forensic investigation showed that multiple email accounts had been accessed between March 14 and April 3, 2018 due to employees being tricked by email impersonation scams.

Business email compromise scams occur when hackers gain access to the email account of a senior executive and using that email account to send internal emails in an attempt to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always required. If the attackers spoof an executive’s email account, it may be enough to fool employees into replying.

This seems to have been the case in the UnityPoint Health phishing attack. An executive’s email account was spoofed and many employees replied to the messages and disclosed their email credentials.

UnityPoint Health reviewed the incident with the assistance of third-party digital forensic consultants. The investigation indicated that the primary aim of the attack was to divert vendor payments and payroll funds to accounts controlled by hackers.

A review of the compromised email accounts showed they contained a wide variety of protected health information in the body of messages and attachments. That information could have been obtained by the hackers and downloaded.

The sort of information accessed varied from patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, laboratory test results, health insurance data, surgical details, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a small number of patients, financial information such as credit card numbers.

12 months of credit monitoring services has been offered to impacted patients whose social security number, driver’s license numbers, or financial data has been accessed. UnityPoint Health says it has not yet been made aware of PHI misuse.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy