Salt Lake City-based University of Utah Health began notifying an undisclosed number of patients March 20 of a phishing scheme and subsequent malware attack.
In February, U of U Health discovered unusual activity on employees’ email accounts. After an investigation, the academic medical center determined than an unauthorized third party had gained access to employees’ email accounts between Jan. 7 to Feb. 21.
The hackers sent out a phishing email under the guise of a trusted source. Since the attack, U of U Health has secured the email accounts.
Patient data that may have been exposed in the phishing attack included names, dates of birth, medical record numbers and limited clinical information.
Following the discovery of the phishing incident, on Feb. 3 U of U Health discovered malware may have been downloaded on an employee’s workstation. After an investigation, officials determined that the malware may have allowed access to some patient data, include names, dates of birth, medical record numbers and limited clinical information.
Though the investigations into these incidents is ongoing, U of U Health said there is no evidence that patient information has been misused. The academic medical center is reviewing information protocols, reinforcing information security procedures and implementing necessary changes to reduce the likelihood of a similar incident happening again.