UnityPoint Health, a multi-hospital delivery system serving parts of Iowa, Illinois and Wisconsin, was the victim of a phishing attack discovered in February that compromised some employees’ email accounts.
In acknowledging the breach, the organization reported that access could have been undetected for several months and affected the data of an unknown number of individuals.
How many persons had information compromised was not released by the organization publicly. Information on the breach has not yet been posted on the data breach web site operated by the HHS Office for Civil Rights.
After discovering the breach, UnityPoint secured the email accounts, changed passwords and contracted with forensic specialists to assess the damage. An investigation revealed that protected health information in the emails included patient names, dates of birth, medical record numbers, treatment information, diagnoses, lab results, medications, providers, dates of service, insurance information and a limited number of Social Security numbers or financial information.
The investigation also found that protected health information could have been accessed as far back as Nov. 1, 2017; the breach was discovered on February 7.
“To date, we are not aware of any reports of identity fraud, theft or improper use of information as a direct result of this incident,” the organization said in a notification letter to affected patients. “However, we want to make impacted individuals aware of the situation so they can take precautionary measures to protect their health information.”
In the letter, UnityPoint explained four steps individuals can take to protect their medical information. However, the notification letter did not mention whether the organization would offer protective services such as credit and identity theft protection.
The organization did not respond to a media request for additional information on the size of the breach and whether protective services will be offered.