The University of Utah Health encountered another phishing attack that led to the exposure of the protected health information (PHI) of 2,700 patients.
For the third time this year, the University of Utah had a phishing incident reported to the HHS’ Office for Civil Rights. The first incident, which impacted 3,670 patients, was reported on March 21. The second incident, which impacted 5,000 patients, was reported on April 3.
In the latest phishing attack, an unauthorized individual was able to access the email accounts of employees between April 6 and May 22, 2020, after the said employees responded to phishing emails. After quickly securing the email accounts, the University had the incident investigated to know if the attackers were able to access the patients’ PHI.
The investigators cannot make certain if the attackers accessed or exfiltrated PHI, nevertheless, the accounts did contain PHI which the attackers possibly accessed. After reviewing the email messages and file attachments that were part of the compromised accounts, it was made sure that the compromised accounts contained PHI such as names, medical record numbers, birth dates, and some clinical information associated with the medical services provided at the facilities of the University of Utah Healthcare.
The investigation of the phishing attack remains in progress, but as of this time, there is no proof that show the attackers committed PHI theft. There is also no report received about the misuse of patient PHI. Starting June 5, 2020, the Universtiy sent breach notification letters to the patients affected by the incident.
The University of Utah Health published a substitute breach notice that mentioned the ongoing review of its security policies. Improvement of security procedures will follow and employee’s will undergo HIPAA training to strengthen resilience to phishing attacks. The entire enterprise will impose security upgrades such as using multi-factor authentication to prevent email account access again in the event of another compromise of credentials.