- UnityPoint discovered the incident on May 31 and believes that the compromised accounts may have been accessed between March 14 and April 3.
- The compromised information includes the dates of birth, addresses, medical information, date of service and insurance information of the patients
UnityPoint Health said the personal and healthcare information of around 1.4 million patients may have been compromised in an attack, the Gazatte reported. The healthcare provider said that it fell victim to a phishing email attack earlier this year.
The incident was discovered on May 31. The healthcare group said a series of phishing emails that appeared to come from trusted executives of the institution were used to trick the employees into revealing their login credentials. This made the hackers’ job easier, giving them the ability to access the firm's business email system as well as patients’ accounts between March 14 and April 3.
Compromised information included patients’ personal and sensitive information such as dates of birth, addresses, medical information, insurance information and more.
However, UnityPoint claimed the attack did not compromise the organization’s electronic health records.
UnityPoint Health spokesperson Amy Varcoe said 33 percent of the affected patients had their Social Security numbers and driver’s license numbers compromised, the Gazette reported. On the other hand, less than one percent of the compromised accounts contained payment card or bank account details.
It is not immediately clear if the compromised information has been misused by the attackers.
The Des Moines-based healthcare group has started notifying the affected patients.
In a statement released on its website, the UnityPoint Health said, "We take our responsibility to protect patient information very seriously and deeply regret this incident occurred."
The attack has pushed the healthcare provider to employ proactive security measures to prevent such attacks in the future.
"Upon learning of this attack, we informed law enforcement authorities and launched an investigation with an expert computer forensics firm. We have taken a number of important steps to further protect our system and prevent similar situations from happening in the future." UnityPoint said in a statement.
As a part of the mitigation process,the healthcare group has suggested that all the affected individuals, including UnityPoint employees utilize basic security practices to prevent such unauthorized access in future. This includes changing passwords of their accounts, implementing multi-factor authentication and adding an anti-spoofing solution to detect any suspicious emails.
UnityPoint Health is also providing free credit card monitoring for one year to the patients whose Social Security number or driver’s license number have been compromised.