1.4 million affected by phishing attack at UnityPoint Health

August 10, 2018
Medicare Web

UnityPoint Health in Des Moines, Iowa, notified approximately 1.4 million patients in late July that their personal information may have been breached after hackers used phishing techniques to enter the company’s email system.

UnityPoint discovered the phishing email attack on May 31, according to its security notice. The phishing attack came via an email that appeared to be from an executive within the organization. The message tricked some employees into providing confidential sign-in information, giving the attackers access to their email accounts between March 14, 2018, and April 3, 2018.

After the discovery, UnityPoint worked with law enforcement and a computer forensic firm to determine the extent of attack. Officials believe the attack was an attempt to divert business funds, like payroll and vendor payments, and not specifically to obtain patient information.

UnityPoint stated that its electronic medical record and patient billing systems were not affected by the attack, but patient information may have been compromised through emails and files attached to emails sent between employees as a routine part of patient care.

Personal health information that may have been contained in the compromised email accounts includes:

  • Names
  • Addresses
  • Dates of birth
  • Medical record numbers
  • Medical information
  • Treatment information
  • Surgical information
  • Diagnoses
  • Lab results
  • Medications
  • Providers
  • Dates of service
  • Insurance information
  • Social Security numbers
  • Driver’s license numbers
  • Payment card numbers
  • Bank account numbers

This is not the first phishing attack to hit UnityPoint Health this year. On February 15, UnityPoint discovered a breach that gave attackers access to its email system between November 1, 2017, and February 7, 2018. According to an initial report, that breach affected around 16,000 patients.

Related Topics: 
HIM/HIPAA, HIPAA