UnityPoint Health announced it has notified about 1.4 million patients of an email phishing scam that may have compromised patient protected health or personal information, according to a news release.
An investigation revealed UnityPoint Health received a series of fraudulent emails disguised to seem like they came from an executive within the organization, tricking some employees into providing their sign-in information. This gave attackers access to internal email accounts between March 14, 2018, and April 3, 2018.
Some compromised accounts included emails or attachments to emails, such as healthcare operations reports, protected health information and personal information for patients.
Patient information may have included addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and insurance information. For some, information may have included a Social Security number or driver's license number. For what the release referred to as "a limited number of individuals," some leaked info could have included payment card or bank account numbers.
No known or attempted misuse of patient information has been reported yet.
Free credit monitoring services will be offered for one year to those whose Social Security number or driver's license number were in compromised email accounts. Those impacted should remain vigilant in reviewing account statements for fraudulent or irregular activity and should follow up with the applicable insurance company or care provider for any items that are not recognized.
Electronic medical record and patient billing systems were not impacted. The attack was likely focused on diverting business funds such as payroll or vendor payments, rather than on obtaining patient information, according to the release.
"We take our responsibility to protect patient information very seriously and deeply regret this incident occurred," RaeAnn Isaacson, privacy officer at UnityPoint Health said in the release. "While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information."
Notification letters were mailed out Monday to those impacted.
Patients with questions or concerns should call a confidential toll-free helpline at 1-888-266-9285. The helpline is available 8 a.m. to 8 p.m. Monday through Friday. Patients can also visit www.unitypoint.org/security-notice.