UnityPoint Health discovered that unauthorized individuals accessed the email accounts of several employees. It was found that the email accounts were accessed for a period of three months starting from November 1, 2017 up to the time the phishing attack was detected on February 7, 2018. UnityPoint Health blocked access to the compromised email account and hired a computer forensics firm to investigate the extent of the breach and the patients affected.
According to the investigators, the attackers potentially obtained a wide array of protected health information including names combined with one or more of the following information: date of birth, medical record number, service dates, surgical information, treatment details, lab test results, diagnoses, insurance information and provider information.
The Department of Health and Human Services’ breach portal has not yet published the UnityPoint Health security breach. There is also no exact number of affected patients determined yet. But UnityPoint Health already began mailing the notification letters to patients on April 16, 2018.
To date, no report of misuse of health information has been received. But as a safety precaution, UnityPoint Health advised the affected patients to check for possible insurance fraud or identity theft. The patients should review the Explanation of Benefits statements from their insurer and monitor their accounts for possible fraudulent activities. The individuals may opt to request for a full list of the medical services paid under their insurance policy and see if they received all services or not. UnityPoint Health also improved their security controls to avoid breaches from happening again.