University of Utah Reports Phishing Attack Involving the PHI of up to 10,000 Patients

The University of Utah has experienced a phishing attack that potentially involved the protected health information of up to 10,000 patients. This is the 4th data breach to be reported to the Department of Health and Human Services by the University of Utah in 2020. All four incidents are listed as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (1,909 individuals), April 3, 2020 (5,000 individuals), and March 21, 2020 (3,670 individuals).

Unauthorized individuals gained access to employee email accounts between January 22, 2020 and May 22, 2020, according to the substitute breach notice on the University of Utah Health website. It is unclear at this stage if the latest breach report also involved access to employee email accounts in the same time frame.

Kathy Wilets, Director of Public Relations at University of Utah Health provided a statement to in which she explained that the phishing incidents were being treated as separate incidents but may have been part of a coordinated campaign. She said the latest incident potentially involved access to a limited amount of patient information and the number of individuals affected – 10,000 – is an estimate. The investigation may reveal fewer individuals were affected. Steps have since been taken to improve email security, including the implementation of 2-factor authentication.

Highpoint Foot and Ankle Center Ransomware Attack Impacts 25,554 Patients

Highpoint Foot and Ankle Center in New Britain Township, PA suffered a ransomware attack in May 2020 in which patient information was encrypted and potentially accessed or exfiltrated by the attackers. Highpoint Foot and Ankle discovered the attack on May 20, 2020 when staff were prevented from accessing certain files on the network.

An investigation was launched which revealed an unauthorized individual had remotely installed ransomware on its computer systems. No evidence was found to suggest patient data was accessed by the attacker prior to file encryption nor have any reports been received that indicate patient information has been misused.

A third-party computer forensics firm was hired to assist with the investigation and determined files containing the protected health information of 25,554 patients were potentially compromised. The files contained names, addresses, dates of birth, social security numbers, diagnoses, treatment information, and release states.

Additional safeguards have now been implemented to protect patient records and all patients affected by the breach have been notified by mail.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.