UnityPoint Health Phishing Attack Exposed PHI of 1.4 Million Patients

Another UnityPoint Health phishing attack has been discovered, and this time it is huge. Hackers have gained access to multiple email accounts which contained the protected health information of approximately 1.4 million patients.

This incident is the largest healthcare data breach to be reported since August 2016 and the largest healthcare phishing incident reported since the HHS’ Office for Civil Rights started publishing summaries of healthcare data breaches in 2009.

Not only does this breach stand out in terms of scale, it is also notable for the amount of data that was contained in the compromised email accounts. While the types of data exposed varies by patient, the breach involved names, addresses, dates of birth, medical record numbers, diagnoses, treatment information, surgical information, lab test results, dates of service, driver’s license numbers, Social Security numbers, health insurance information and for some patients, financial information – a treasure trove of data for identity thieves and fraudsters.

The UnityPoint Health phishing attack appears to have been an attempt to gain access to email accounts with the intention of using them to fraudulently obtain UnityPoint Health funds, through attempts to divert payroll and vendor payments to bank accounts controlled by cybercriminals. However, the theft of protected health information cannot be ruled out.

Patients whose Social Security numbers, financial information, or driver’s license numbers have been exposed have been offered a year of credit monitoring and identity theft protection services as a precaution.

The UnityPoint Health phishing attack was typical of many successful phishing attacks on businesses. The attackers spoofed the email address of a trusted executive in the company. Several employees were duped and believed the emails to be genuine. When links in the emails were clicked, employees were required to enter their login credentials, which were recorded by the attackers and used to remotely access their email accounts.

Had two-factor authentication been implemented, the external accessing of the email accounts would have been blocked. However, that was not the case and UnityPoint Health did not detected the unauthorized accessing of email accounts until May 31, 2018. The forensic investigation into the breach revealed that email accounts were breached between March 14 and April 3, 2018.

This was not the only successful phishing incident to be discovered by UnityPoint Health in 2018. In April, the Des Moines-based healthcare provider announced it was the victim of a phishing scam that saw multiple email accounts compromised between November 1, 2017 and February 7, 2018. The compromised email accounts contained the PHI of 16,400 patients.

Only now, after the second UnityPoint Health phishing attack, has the Utah healthcare provider implemented two-factor authentication. UnityPoint Health has also now made security awareness training mandatory for all employees and additional security controls have been implemented to prevent future phishing attacks.

Author: NetSec Editor