The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

Posted By on Feb 25, 2019

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees.

UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals.

A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out.

UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed. Information contained in the compromised email accounts was limited to names, addresses, dates of birth, and some clinical information, such as appointment dates and billing information. Approximately 1,500 Social Security numbers were also potentially compromised.

All patients whose PHI was potentially accessed by the attackers have been notified by mail. Complimentary identity theft protection services have been offered to patients whose Social Security number was exposed.

UConn Health is reviewing its technical controls to prevent phishing attacks and is currently evaluating additional security training platforms to better educate staff on phishing and other cybersecurity threats.

In late January, the University of Connecticut warned students to be alert to the risk of phishing attacks following a spate of spam and phishing emails received by students over the past few months, some of which impersonated the UConn mail service. It is unclear whether the warning was related to the email breach at UConn Health.

The Department of Health and Human Services’ Office for Civil Rights has been notified. The breach portal indicates up to 326,629 patients have been affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist