Many large healthcare data breaches recently have been reported that have seen hackers obtain access to employees’ email accounts and sensitive data, although the recently shared UnityPoint Health phishing attack stands out due to the massive number of individuals that have been impacted and the wide range 0of sensitive data exposed.
UnityPoint Health is one of the biggest healthcare networks serving Iowa residents. The Des Moines-based healthcare provider recently found out that that its employees have been targeted in a phishing campaign that has seen several email accounts impacted. Those email accounts included the sensitive information of approximately 1.4 million patients.
That not only makes this the biggest phishing incident to have been experienced by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever witnessed.
The UnityPoint Health phishing attack has seen highly sensitive data infiltrated, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment data, lab test results, medications, providers, dates of service, Social Security info, driver’s license numbers and, for a restricted number of patients, their payment card information.
The phishing emails were shared with employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on firms, access to email accounts was gained through the impersonation of a senior executive.
A range of spoofed emails were sent to employees that looked like they came from a trusted executive’s email account. Employees who opened the email were instructed to click a link that asked hem to enter their email login information. That information was captured by the hackers who were then able to gain access to the employees’ email accounts.
The UnityPoint Health phishing attack may have given the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is not known whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the main goal was to divert payroll payments and to use account access to fool accounts department staff into completing fraudulent wire transfers. It is unclear if any of those attempts bore fruit.
This is also not the sole UnityPoint Health phishing attack to be reported in 18. In March, UnityPoint Health revealed that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts impacted.
The most recent attack has prompted the healthcare provider to implement new technology to spot phishing and BEC attacks, multi-factor authentication has been turned on, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been provided for patients whose driver’s license or Social Security number has been exposed, and all patients have been alerted by mail.
As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is quite high. The average cost of such a breach was calculated to be around $40 million.