Several Des Moines, Iowa-based UnityPoint Health employees' email accounts were compromised and accessed by unauthorized individuals between Nov. 1, 2017 and Feb. 8 2018, according to HIPAA Journal.
The phishing attack went undetected for three months until access to the email accounts was blocked. UnityPoint Health tapped a computer forensics firm to investigate the incident, which revealed protected health information — including patients' names, medical record numbers, dates of birth, service dates, treatment information, surgical information, lab test results, diagnoses, provider information and insurance information — were potentially accessed.
The breach has yet to appear on HHS' Office for Civil Rights breach portal, so it is unclear how many patients were affected. However, the healthcare organization began mailing notification letters to affected individuals April 16, according to HIPAA Journal.
UnityPoint has not received any reports of health information being misused, but it recommends patients monitor their explanation of benefits statements and accounts for fraudulent activity.
More articles on cybersecurity:
Top 5 reasons patients decline access to EHRs, according to ONC's study
National Academy of Medicine releases ONC-funded report on improving clinical decision support
Black Book: Duplicate patient records cost hospitals almost $2k per inpatient stay