A string of Phishing Attacks camouflaged as an internal email from one of the company’s executives was all it took for an employee to be duped and unknowingly grant access to the company’s database, right towards sensitive patient information. The data collection included names, patient DOBs, medical records, laboratory results, dates of services, insurance information, driver’s license, social security numbers, and even credit card and payment information.
According to a statement released by UnityPoint, the attack was first detected around May 31 on its internal email systems. They immediately got in touch with the proper authorities (FBI), hired external security experts and started a thorough forensics analysis of the possible breach. After careful digging, the investigation immediately deduced that it was indeed a legitimate breach coming from an external source that was disguised as several trusted emails from one of their executives.
UnityPoint, one of the largest hospitals and clinic provider in Iowa has already notified the more than 1.4 Million users, mostly patients, that their information has just been compromised. As mandated by law, most of the patients and users will get a free annual credit report from the three major credit reporting companies. Moreover, employees of UnityPoint were immediately ordered to reset their credentials to prevent further possible unauthorized access to their systems. They will also be mandatorily subjected to data security training as an additional measure.
This new incident is totally different from the one reported last April when almost 18,000 patients were affected, also of a Phishing Attack. Investigators are also considering angles that the previous attack was just a test run to check for the other vulnerabilities of the company’s systems. Both of these attacks impacted not only patients from Iowa, but also from North Carolina.
Suprisingly, both the attacks were not entirely after the patient’s medical records nor the hospital’s electronic systems. They were more of a financially-driven campaign, using the emails to hack-in and access payroll and vendor payment systems. As of this writing, UnityPoint Health is aggressively taking precautions and strengthening their security systems.