WEST DES MOINES, Iowa (KCRG-TV9) — More 1.4 million patients may have had their private health information exposed in a recent phishing email attack, according to UnityPoint Health.
The health group said the attack did not affect electronic medical record and patient billing systems. It said notification letters were sent to impacted patients.
According to a news release, UnityPoint on May 31 discovered the attack on its business email system, notified law enforcement, and started a computer forensices investigation. That investigation found the company received a series of fraudulent emails disguised to have come from an executive within UnityPoint.
Some employees then provided their confidential sign-in information, giving attackers access to the workers' internal email accounts between March 14 and April 3 of this year. Some of those worker email accounts included emails or attachments containing protected health information and/or personal information for some patients.
Patient information possibly included names, addresses, dates of birth, medical records numbers, and insurance information. The attackers might also have gained access to patients' Social Security numbers and/or driver's license numbers. UnityPoint said a payment card or bank accounty number might also have been accessed for a limited number of patients.
UnityPoint Health will offer free credit monitoring services for one year to individuals whose social security number and/or driver’s license number were included in the compromised email accounts.
“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred,” said RaeAnn Isaacson, Privacy Officer, UnityPoint Health. “While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information.”
In April, UnityPoint Health notified approximately 16,400 patients of a separate phishing email attack.
Patients who have questions or concerns regarding this incident may call a helpline at 1-888-266-9285. The helpline is staffed by professionals familiar with this incident and knowledgeable about what patients can do to protect against misuse of their information. The helpline is available Monday through Friday, 8:00 a.m. to 8:00 p.m. Central Time.
UnityPoint has also created a website where patients may access information about the incident.