A huge UnityPoint Health phishing attack has been reported to the HHS’ Office for Civil Rights (OCR) , one in which the protected health information of up to 1.4 million patients could have been obtained by cyber criminals.
So far, this phishing incident is the comfortably the largest healthcare data breach of 2018 registered, involving more than double the number of healthcare records as the California Department of Developmental Services data breach seen in April.
Additionally, this is also the biggest phishing incident to be reported by a healthcare provider since the OCR began publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.
The UnityPoint Health phishing attack was discovered on May 31, 2018. A forensic investigation showed that multiple email accounts had been accessed between March 14 and April 3, 2018 due to employees being tricked by email impersonation scams.
Business email compromise scams occur when hackers gain access to the email account of a senior executive and using that email account to send internal emails in an attempt to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always required. If the attackers spoof an executive’s email account, it may be enough to fool employees into replying.
This seems to have been the case in the UnityPoint Health phishing attack. An executive’s email account was spoofed and many employees replied to the messages and disclosed their email credentials.
UnityPoint Health reviewed the incident with the assistance of third-party digital forensic consultants. The investigation indicated that the primary aim of the attack was to divert vendor payments and payroll funds to accounts controlled by hackers.
A review of the compromised email accounts showed they contained a wide variety of protected health information in the body of messages and attachments. That information could have been obtained by the hackers and downloaded.
The sort of information accessed varied from patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, laboratory test results, health insurance data, surgical details, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a small number of patients, financial information such as credit card numbers.
12 months of credit monitoring services has been offered to impacted patients whose social security number, driver’s license numbers, or financial data has been accessed. UnityPoint Health says it has not yet been made aware of PHI misuse.