UnityPoint Health Phishing Attack Disclosed PHI of 1.4 Million Patients


One more UnityPoint Health phishing attack has been seen, and this time it is huge. Hackers have gained access to numerous electronic mail accounts which had the PHI of approximately 1.4 million patients.

This occurrence is the biggest healthcare data breach to be informed since August 2016 and the biggest healthcare phishing occurrence reported since the HHS’ Office for Civil Rights began publishing briefs of healthcare data breaches in 2009.

Not only does this breach stand out in terms of scale, it is also remarkable for the amount of data that was included in the compromised electronic mail accounts. While the kinds of data disclosed differ by patients, the breach involved names, Social Security numbers, driver’s license numbers, dates of service, lab test results, surgical information, treatment information, diagnoses, medical record numbers, dates of birth, addresses, health insurance information and for some patients, financial information – a treasure trove of data for identity thieves and impostors.

The UnityPoint Health phishing attack seems to have been an attempt to gain access to electronic mail accounts with the aim of using them to illegally obtain UnityPoint Health funds, through efforts to divert payroll and seller payments to bank accounts managed by cybercriminals. Nevertheless, the thievery of PHI cannot be ruled out.

Patients whose Social Security numbers, driver’s license numbers, or financial information have been disclosed have been offered a year of credit checking and identity thievery protection facilities as a protection.

The UnityPoint Health phishing attack was typical of a lot of successful phishing attacks on companies. The attackers spoofed the electronic mail address of a reliable executive in the firm. A number of workers were deceived and thought the electronic mails to be authentic. When links in the electronic mails were clicked, workers were needed to enter their login identifications, which were noted by the attackers and used to distantly access their electronic mail accounts.

Had two-factor verification been applied, the external retrieving of the electronic mail accounts would have been obstructed. Nevertheless, that was not the situation and UnityPoint Health did not detect the illegal retrieving of electronic mail accounts until May 31, 2018. The forensic examination into the breach disclosed that electronic mail accounts were breached between March 14 and April 3, 2018.

This was not the lone fruitful phishing occurrence to be found by UnityPoint Health in 2018. In April, the Des Moines-based healthcare provider declared it was the target of a phishing cheat that saw several electronic mail accounts undermined between November 1, 2017 and February 7, 2018. The undermined electronic mail accounts had the PHI of 16,400 patients.

Just now, after the second UnityPoint Health phishing attack, has the Utah healthcare provider applied two-factor verification. UnityPoint Health has also now made safety consciousness training compulsory for all workers and additional safety controls have been applied to avoid future phishing attacks.