UConn Health has announced that a recent phishing attack has compromised approximately 326,000 patient files.
UConn Health is the branch of the University of Connecticut that oversees clinical care, advanced biomedical research, and academic education in medicine.
UConn Health discovered the phishing attack on December 24, 2018. IT security employees took measures to secure the email accounts affected by the attack. UConn Health launched an internal investigation into the causes and scope of the breach. The investigation discovered that hacker used a phishing campaign to gain access to multiple employee email accounts.
UConn Health hired a third-party computer forensics company to assist with the investigation. One of the primary concerns of the investigators was to ascertain what private information the hacker could have accessed through the compromised email accounts. The investigators were unable to determine whether the unauthorised individual viewed the emails and email attachments. Although UConn Health states that they have yet to find any evidence that patient data has been misused, it is still possible that the hacker stole information during the breach.
Investigators are still trying to identify the threat actor behind the phishing campaign.
“UConn Health takes its responsibility to safeguard personal information seriously and apologises for any inconvenience or concern this incident might cause,” the health centre said in the statement. “We have taken and continue to take steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls.”
Most of the data contained in the emails pertained to UConn Health patients, but a limited number of employees were also affected by the breach. The information potentially stolen by the hacker was limited to names, addresses, dates of birth, and some clinical information, such as appointment dates and billing information, and approximately 1,500 Social Security numbers.
Following HIPAA’s Breach Notification Rule, UConn Health has sent breach notification letters to all affected patients. In a gesture of good faith, the healthcare organisation has offered complimentary identity theft protection services to patients whose Social Security number was exposed.
In the wake of the attack, UConn Health is reviewing its cybersecurity framework to prevent future phishing attacks. As this data breach was caused by employees responding to scam emails, UConn is devising a new cybersecurity awareness training program to educate staff on phishing campaigns better.
In late January, the University of Connecticut warned students to be alert to the risk of phishing attacks following a spate of spam and phishing emails received by students over the past few months, some of which impersonated the UConn mail service. It is unclear whether the warning was related to the email breach at UConn Health.
UConn Health has notified the Department of Health and Human Services’ Office for Civil Rights of the data breach. The breach portal indicates that up to 326,629 patients have been affected by the breach.