Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients

Utah Valley Eye Center in Provo, UT is warning patients that some of their personal information may have been accessed by an unauthorized individual following a security breach involving its scheduling reminder portal on June 28, 2018.

The hacker obtained the email addresses of 5,764 patients and sent each a phishing email in an attempt to gain access to PayPal credentials. The emails spoofed PayPal and advised the recipients that they had received a payment.

Upon discovery of the security breach, Utah Valley Eye Center contacted all individuals who had been emailed to warn them about the security breach. No evidence has been uncovered to suggest any other information was accessed or misused, although the hacker would have had access to patient names, addresses, phone numbers, and dates of birth. No personal health or financial information is believed to have been accessed.

Only 5,764 phishing emails were sent, but Utah Valley Eye Center could not determine exactly how many patients’ protected health information was viewed or obtained by the hacker. The decision was therefore taken to send notification letters to all 20,418 patients to allow them to take steps to protect against identity theft and fraud.

The incident has been reported to the Utah Department of Health, the Utah Department of Human Services, and the HHS. Affected individuals have been advised to place a fraud alert on their credit files as a precaution against misuse of their information.

It is currently unclear when the breach was discovered and why it has taken until now for a press release to be issued about the security breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.