UnityPoint Health Notifies 1.4M Patients of Data Breach Caused by Phishing Attack | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

UnityPoint Health Notifies 1.4M Patients of Data Breach Caused by Phishing Attack

July 31, 2018
by Rajiv Leventhal
| Reprints

UnityPoint Health, a health system based in Des Moines, Ia., has let about 1.4 million patients know that their personal and health information may have been compromised, according to a press release from the organization.

According to the release, on May 31, UnityPoint Health discovered that a phishing email attack had compromised its business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients.

A forensics investigation revealed that UnityPoint Health received a series of fraudulent emails that were disguised to appear to have come from a trusted executive within the organization. The phishing emails tricked some employees into providing their confidential sign-in information which gave attackers access to their internal email accounts between March 14 and April 3. Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients, according to UnityPoint Health officials.

"We take our responsibility to protect patient information very seriously and deeply regret this incident occurred," RaeAnn Isaacson, privacy officer, UnityPoint Health, said in a statement. "While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information."

Officials said that the phishing attack was more likely focused on diverting business funds like payroll or vendor payments, rather than on obtaining patient information.

Electronic medical record (EMR) and patient billing systems were not impacted by this attack, according to officials.  However, patient information that may have been in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For some individuals, information may have included a Social Security number and/or driver's license number. For a limited number of others, payment or bank information could have been breached.

The only unauthorized access to patient information may have occurred through compromised email accounts, where the information was contained in the body of an email or in attachments such as reports, officials asserted.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



AHRQ Launches App Challenge for PRO Data Standardization

The Agency for Healthcare Research and Quality (AHRQ) has launched a competition to address the need for greater use of standardized patient-reported outcomes (PRO) data in clinical care and research.

Study: Many U.S. Hospitals won’t Reach HIMSS Stage 7 Until 2035

Unless the healthcare IT ecosystem experiences major policy changes or leaps in technological capabilities, many hospitals will not reach Stage 7 of HIMSS Analytics’ Electronic Medical Record Adoption Model until 2035, according to new research.

Amazon, Google, IBM and Other Tech Giants Pledge to Remove Barriers to Interoperability

Six of the world's biggest technology companies, including Microsoft, Google, IBM and Amazon, made a joint pledge at the White House Monday to remove interoperability barriers and to make progress on adoption of health data standards.

Mayo Clinic Elects New President and CEO

Gianrico Farrugia, M.D., current vice president, Mayo Clinic, and CEO of Mayo Clinic in Florida has been elected as the president and CEO of the Mayo Clinic, headquartered in Minnesota.

Fitbit, Blue Cross Blue Shield Launch Mobile Health Partnership

San Francisco-based fitness wearable maker Fitbit continues its push into the health plan market with a new digital health deal to incorporate its fitness tracker into health and wellness programs.

ASCO Picks IBM Watson Exec to Lead CancerLinQ

The American Society of Clinical Oncology (ASCO) has named a former IBM Watson executive as the new CEO of its CancerLinQ big data platform.