WEST DES MOINES, Iowa -- A phishing attack on UnityPoint Health's email system may have compromised the personal and health data of more than a million patients in Iowa, western Illinois and southern Wisconsin, according to a media release from the company.
Patient information that may have been captured via email includes: patient names and addresses, dates of birth, medical records, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and insurance information and possibly Social Security and driver's license numbers.
UnityPoint is in the process of notifying 1.4 million patients that their information may have been compromised.
“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred,” said RaeAnn Isaacson, Privacy Officer, UnityPoint Health. “While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information.”
The company pointed out that in such phishing attacks, the criminals are typically trying to use the organization's email system to divert payroll or vendor payments for financial gain.
In this attack, employees of UnityPoint were tricked into divulging confidential sign-in information to internal email accounts by posing as a high-level executive via email. The emails compromised were sent between March 14 and April 3 2018.
Due to the size of the breach, UnityPoint is offering free credit monitoring for one year to anyone whose Social Security or driver's license number was compromised. In addition, the company has estabished a toll-free helpline at 1-888-266-9285, available Monday-Friday from 8 a.m. to 8 p.m. central time patients can call for information and steps to take to protect against misuse of their information. A dedicated help website has also been established.
The company has mailed notification letters via U.S. Mail on July 30, 2018, to individuals impacted by this incident, where the patients' last-known home address was available.
You can read the entire media release, which includes information about additional steps UnityPoint has taken to protect its systems going forward here.