UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees.

UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals.

A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out.

UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused.

The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed. Information contained in the compromised email accounts was limited to names, addresses, dates of birth, and some clinical information, such as appointment dates and billing information. Approximately 1,500 Social Security numbers were also potentially compromised.

All patients whose PHI was potentially accessed by the attackers have been notified by mail. Complimentary identity theft protection services have been offered to patients whose Social Security number was exposed.

UConn Health is reviewing its technical controls to prevent phishing attacks and is currently evaluating additional security training platforms to better educate staff on phishing and other cybersecurity threats.

In late January, the University of Connecticut warned students to be alert to the risk of phishing attacks following a spate of spam and phishing emails received by students over the past few months, some of which impersonated the UConn mail service. It is unclear whether the warning was related to the email breach at UConn Health.

The Department of Health and Human Services’ Office for Civil Rights has been notified. The breach portal indicates up to 326,629 patients have been affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.