UnityPoint Health in Des Moines, Iowa, is warning patients of a data breach that could impact 1.4 million patients.
A series of phishing attacks disguised as emails from a trusted executive within the organization resulted in an employee taking the bait enabling access to sensitive company information.
Patient information including names, addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information were all compromised in the incident.
Social Security numbers, driver's license numbers, and even payment card information for some patients were compromised.
Officials discovered the incident on May 31, 2018, when they learned a phishing attack resulted in the unauthorized access to the information and notified law enforcement as well as opened an investigation into the breach.
The threat actor was to able obtain confidential sign-in information and gained access to the accounts between March 14, 2018, and April 3, 2018, and officials said unauthorized access to protected health information and personal information may have occurred.
Employees have been instructed to reset passwords for all compromised accounts to prevent further unauthorized access and will attend mandatory education to recognize and avoid future phishing attempts.
Officials have also strengthened its networks' digital defenses by adding technology to identify suspicious external emails and have implemented multi-factor authentication which requires users to go through multiple steps to verify their identity in order to access the systems
Those who were potentially affected were also notified of the incident and will be entitled to one free credit report every twelve months from each of the three major nationwide credit reporting companies as mandated by law.
The attack has impacted patients in both Iowa and North Carolina.