UnityPoint Health announced that they have been the victim of a phishing email attack that may have resulted in unauthorized access to health and personal information for some patients.
Originally discovered on May 31, 2018, the email attack compromised information of approximately 1.4 million patients.
The compromised information includes names and other information ranging from addresses to medical and insurance information. In some instances Social Security numbers and driver’s license numbers may have been released.
UnityPoint said that they do not know of any misuse of that information as of right now.
“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred,” said RaeAnn Isaacson, Privacy Officer, UnityPoint Health. “While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information.”
Electronic medical records were unaffected by the attack, only information that could be accessed through email accounts were at risk.
The phishing emails tricked some employees into providing their confidential sign-in information which gave attackers access to their internal email accounts between March 14, 2018 and April 3, 2018.
The problem has been identified and work has been done to secure their systems to make sure nothing further happens with the security incident.
UnityPoint said they have engaged with cyber experts to navigate the issue and are ready to support questions and concerns.
“We continue to work closely with leading experts to learn from our experience and help our organization – and other health care organizations – prevent these kinds of cybercrimes,” said Isaacson.
UnityPoint Health will offer free credit monitoring services for one year to individuals whose Social Security number and/or driver’s license number were included in the compromised email accounts.
They also recommend individuals to remain vigilant when reviewing account statements and should follow up with the applicable insurance company if they do not recognize something on the statement.
Law enforcement and forensic experts said these types of attacks are normally driven financially in an attempt to reroute business funds or payments, rather than learn personal information.
Letters were mailed on July 30 to notify current and former patients who may have been affected. UnityPoint has also set up a call center and a website to help detail the situation and provide help for questions people may have. They can be accessed either at 888-266-9285 or http://www.unitypoint.org/security-notice.
The help line is open Monday through Friday from 8am-8pm.