25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

University of Utah Reports Phishing Attack Involving the PHI of up to 10,000 Patients

Posted By on Jul 28, 2020

The University of Utah has experienced a phishing attack that potentially involved the protected health information of up to 10,000 patients. This is the 4th data breach to be reported to the Department of Health and Human Services by the University of Utah in 2020. All four incidents are listed as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (1,909 individuals), April 3, 2020 (5,000 individuals), and March 21, 2020 (3,670 individuals).

Unauthorized individuals gained access to employee email accounts between January 22, 2020 and May 22, 2020, according to the substitute breach notice on the University of Utah Health website. It is unclear at this stage if the latest breach report also involved access to employee email accounts in the same time frame.

Kathy Wilets, Director of Public Relations at University of Utah Health provided a statement to databreaches.net in which she explained that the phishing incidents were being treated as separate incidents but may have been part of a coordinated campaign. She said the latest incident potentially involved access to a limited amount of patient information and the number of individuals affected – 10,000 – is an estimate. The investigation may reveal fewer individuals were affected. Steps have since been taken to improve email security, including the implementation of 2-factor authentication.

Highpoint Foot and Ankle Center Ransomware Attack Impacts 25,554 Patients

Highpoint Foot and Ankle Center in New Britain Township, PA suffered a ransomware attack in May 2020 in which patient information was encrypted and potentially accessed or exfiltrated by the attackers. Highpoint Foot and Ankle discovered the attack on May 20, 2020 when staff were prevented from accessing certain files on the network.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

An investigation was launched which revealed an unauthorized individual had remotely installed ransomware on its computer systems. No evidence was found to suggest patient data was accessed by the attacker prior to file encryption nor have any reports been received that indicate patient information has been misused.

A third-party computer forensics firm was hired to assist with the investigation and determined files containing the protected health information of 25,554 patients were potentially compromised. The files contained names, addresses, dates of birth, social security numbers, diagnoses, treatment information, and release states.

Additional safeguards have now been implemented to protect patient records and all patients affected by the breach have been notified by mail.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist