– A phishing attack on UConn Health potentially breached some personal and medical data of 326,000 patients, the Connecticut-based health system announced on Friday.
UConn Health recently discovered a hacker accessed a number of employee email accounts, and immediately secured the breached accounts. Officials said they also confirmed the security of the email system, contacted law enforcement, and hired a third-party forensics team to help with the investigation.
According to the notification, the investigation concluded on December 24, and officials determined the compromised accounts contained patients’ personal information. The data could include names, dates of birth, addresses, and limited medical information, like billing and appointment details.
For 1,500 patients, Social Security numbers were breached. Those patients will receive a year of free credit monitoring and identity theft protection services.
“Because we cannot isolate exactly what, if any, information may have been accessed, we notified individuals whose information was in the impacted accounts,” officials said in a statement. “The incident had no impact on our computer networks or electronic medical record systems.”
Since the cyberattack, officials said they’ve evaluated additional platforms to educate staff and reviewed technical controls. It’s the second largest breach reported in 2019: UW Medicine reported a breach impacting 974,000 patients last week.
Hackers continue to target the healthcare sector with phishing attacks, with credential compromise as the leading goal of those attacks in 2018. Email hacking is also one of the leading cyber threats to the sector.
Just last week, Vermont-based Rutland Regional Medical Center reported that nine employee email accounts were hacked between Nov. 6, 2018 and Feb. 6, 2019. An employee reported to the IT team that their email account was sending a high volume of spam emails on Dec. 29, 2018.
The IT team determined the account was compromised on December 31 and changed the employee’s password and hired a third-party forensics firm to help with the investigation. On February 6, officials determined the hackers gained access to nine employee email accounts, but no EHRs or other systems were compromised.
The breached data could include name, contact details, Social Security numbers, financial data, dates of birth, health insurance information, and medical or clinical data, such as diagnoses and treatments.