A UConn Health phishing attack in December has potentially allowed an unauthorized individual to gain access to the health information of hundreds of thousands of patients.
The attack was detected on December 24, 2018, and all email accounts were secured to prevent further unauthorized access. It is unclear for how long the attacker had control of the accounts. The breach may have dated back months. During the time that accounts could be accessed it is possible that emails may have been viewed or copied by the attacker.
A third-party computer forensics firm confirmed that multiple email accounts had been accessed by an unauthorized individual. The analysis revealed many emails contained the personal information of patients and some employees. It was not possible to determine whether any emails had been accessed or copied by the attacker.
In total, the personal information of 326,000 individuals is at risk as a result of the attack, most of whom are UConn Health patients. The types of patient information stored in emails in the compromised account varied from individual to individual, but may have included names, dates of birth, addresses, appointment dates, billing information and other clinical data. Around 1,500 Social Security numbers were exposed as a result of the attack.
UConn Health is in the process of notifying all individuals whose information was potentially compromised. Any individual whose Social Security number was included in the compromised email accounts is being offered complimentary identity theft protection services as a precaution, although to date, no reports have been received to suggest any data has been stolen and misused.
The attack has prompted UConn Health to reassess and bolster its email security controls. New security awareness training platforms are also being evaluated and staff will be provided with further training to improve resilience to phishing attacks in the future.
The UConn Health phishing attack is one of the largest healthcare data breaches to be reported in 2019 and is one of many 2019 healthcare phishing attacks. Phishing is the number one cybersecurity threat faced by the healthcare industry and attacks are rife. In January, 33 healthcare data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights. More than 51% involved email.