What the UnityPoint Health attack means.
Hackers compromised the health records of many as 1.4 million patients of UnityPoint Health, an Iowa-based health system, according to a notice (PDF) from the company.
The trouble began in the spring, with a email phishing attack, whose kind has persisted due to human error and in spite of high-tech advances. By Monday afternoon, UnityPoint Health began notifying the public of the incident, which it said compromised its email system and “may have” led to illicit access to protected health information and other data. Hackers could have nabbed data on diagnoses, treatments and finances, but it’s unclear whether patient data have been misused.
“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred,” the health system, whose footprint spans Iowa, Illinois and Wisconsin, said in a statement. “Upon learning of this attack, we informed law enforcement authorities and launched an investigation with an expert computer forensics firm.”
The 1.4 million patients caught up in the cyberattack make it among the largest, if not the largest, breaches of the year, according to a portal maintained by the Department of Health & Human Services’ Office of Civil Rights.
The breach is UnityPoint’s second of 2018. In mid-April, the health system reported that more than 16,000 patients’ records had been exposed in an earlier phishing expedition.
The most recent breach didn’t affect electronic medical records or patient billing systems, according to the notice. The phishing campaign tricked employees into providing confidential login information, which hackers used to infiltrate email accounts and access data contained within.
But UnityPoint Health officials don’t believe the attackers were after patient information.
“The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization,” the health system said.
Since this breach came to light, healthcare and cybersecurity leaders have spoken out on healthcare’s ballooning data privacy problem.
Leon Lerman, CEO of the medical cyberdefense company Cynerio, said healthcare companies of all sizes must be on “high alert” for phishing attempts, especially given the sensitive nature of patient data. He advocated for an in-depth defense strategy to ward off phishing, malware and other hacks.
“Especially in the healthcare industry, we need to place more focus on educating employees on how hackers target organizations and what can organizations do to protect themselves,” Lerman said.
Indeed, other cybersecurity leaders said the UnityPoint attack is yet another sign of an increasingly perplexing challenge facing healthcare. Since June, for instance, more than 50 separate data breaches have been reported to the federal government.
Get the best insights in healthcare analytics directly to your inbox.