HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack

UnityPoint Health has discovered the email accounts of several employees have been compromised and accessed by unauthorized individuals.

Access to the employee email accounts was first gained on November 1, 2017 and continued for a period of three months until February 7, 2018, when the phishing attack was detected and access to the compromised email accounts was blocked.

Upon discovery of the phishing attack, UnityPoint Health engaged the services of a computer forensics firm to investigate the scope of the breach and the number of patients impacted. The investigation revealed a wide range of protected health information had potentially been obtained by the attackers, which included names in combination with one or more of the following data elements:

Medical record number, date of birth, service dates, treatment information, surgical information, lab test results, diagnoses, provider information, and insurance information.

The security breach has yet to appear on the Department of Health and Human Services’ breach portal, so it is currently unclear exactly how many patients have been affected by the breach. Notifications to individuals impacted by the breach started to be mailed on April 16, 2018.

To date there have been no reports of any health information being used inappropriately. However, since PHI may have been obtained by the attackers, UnityPoint Health has recommended affected individuals take steps to protect against insurance fraud an identity theft. Those steps include reviewing insurers’ Explanation of Benefits statements, monitoring accounts for fraudulent activity, and contacting insurers for a full list of all medical services paid under their insurance policy and to carefully check the list for any services that have not been received.

The incident has prompted UnityPoint Health to strengthen security controls to prevent similar incidents from occurring in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.