University of Utah Health has been impacted by a new phishing attack, with the most recent attack leading to the exposure of the protected health information (PHI) of 2,700 clients.
This is the third phishing attack to be recorded during 2020 by the HHS’ Office for Civil Rights at the University of Utah. Earlier in the year, incidents were recorded on March 21 and April 3 and affected 3,670 and 5,000 patients.
In the most recent attack, an unauthorized person obtained access to staff email accounts between April 6 and May 22, 2020 due to responses to phishing emails. The email accounts were quickly locked down, and an investigation was initiated to determine whether the hackers were able to access to patients’ PHI.
There is no proof to indicate if PHI was accessed or ex-filtrated, but the accounts did contain a restricted amount of PHI which was possibly accessed. A review of emails and attachments in the impacted accounts showed they contained names, medical record numbers, dates of birth, and some clinical data linked to the medical services received at University of Utah Healthcare clinics.
The official review into the phishing attacks remains current, but so far, no evidence has been found to indicate any PHI was stolen by the hackers and no reports have been received to indicate there has been improper use of PHI. Notification letters were mailed to affected patients on June 5, 2020.
University of Utah Health detailed in its substitute breach notice that its information security measures are being analyzed and security procedures will be reinforced with its staff to improve resilience to phishing attacks in the future. Security enhancements will be put in place across the entire enterprise and multi-factor authentication will be used to stop email account access if credentials are compromised going forward.