The largest data breach of 2018 (so far) has been claimed by a Midwestern health network. UnityPoint Health (UPH) has reported its second data breach of 2018, this time affecting 1.4 million patient records.
On July 30, 2018, UnityPoint Health reported that the protected health information (PHI) of 1.4 million patients was compromised after a recent phishing attack infiltrated their email servers. The exposed PHI included patient info such as names, addresses, dates of birth, and medical information–which included diagnoses, lab results, medications, providers and insurance/treatment/surgical information.
UPH also reported that some of these 1.4 million patients had their Social Security numbers, driver’s license numbers, credit and debit card numbers, and bank account numbers exposed in the phishing attack as well. Medical records, data and financial information are some of the most valuable kinds of personal data that hackers will target during a malware attack, making health care organizations particularly vulnerable to the growing number of security incidents.
UnityPoint Health runs more than 50 clinics in Iowa, with 290 physicians and other providers. It began notifying its affected patients in early August 2018, sending out mailings to explain the severity of the breach.
It was reported that hackers had unlawful access to UPH’s internal email accounts from March 14, 2018 to April 3, 2018. UPH discovered the breach on May 31, 2018 and immediately contacted authorities to launch an investigation.
$12.5 Billion Lost in 5 Years
UPH worked with law enforcement and digital forensic investigators to find the culprit and motive of this massive breach.
“The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization rather than on obtaining patient information,” UPH representatives said. “Based on our investigation, we believe the perpetrators were trying to use the email system to divert payroll or vendor payments.”
Though phishing attacks like these may not seem significant, the FBI estimates that victims have lost over $12.5 billion over the past five years.
Second Data Breach this Year…
This is not the first time in 2018 that UnityPoint Health has experienced a large-scale data breach. On February 15, 2018, UPH discovered that they had been targeted for another phishing attack that led to the exposure of 16,429 patient records.
They determined that the breach occurred between November 1, 2017 and February 7, 2018. UPH then began to notify its patients on April 16, 2018 that their PHI was compromised.
This breach lead to a civil suit against UnityPoint, as one patient alleged that the system did not notify their patients in a timely manner. The lawsuit was seeking compensatory, punitive and other damages, along with restitution to affected patients.
As of now, UnityPoint Health denied compensation, however is still waiting for the conclusion of the court case.
For health care providers of all size and scope, civil suits in response to large-scale data breaches are becoming more and more common. The more at risk sensitive health care data is within a given organization, the more likely they are to experience a breach and potential litigation. This is not to mention potential HIPAA fines levied by the federal government, or Attorney General fines levied on a state-by-state basis.
Phishing Attacks and HIPAA Compliance
Ultimately, UnityPoint Health could have helped avoid this breach with proper internal staff cyber-security staff training. A phishing attack will usually target staff emails. The hackers send a fake email that appears to be from an important executive at the organization. The employee will then click a link in the email, planted by the hackers to give them access to the email system or network.
Proper employee training is at the heart of an effective HIPAA compliance program. “Implementing a compliance program goes hand-in-hand with robust security measures to keep your business safe–especially with data breaches in health care on the rise,” says Marc Haskelson, President and CEO of Compliancy Group.
Compliancy Group is health care’s choice for HIPAA compliance. Our HIPAA compliance web-app has helped thousands of clients achieve, illustrate, and maintain their compliance with confidence. Our proven methodology keeps your data safe–and we’re proud to say that not a single client has ever failed a HIPAA audit. Find out how Compliancy Group can help eliminate your HIPAA fears!