UnityPoint Health has suffered its second data breach of 2018, with the latest affecting as many as 1.4 million patients' information, including medical and financial data.
The most recent data breach, which the health system announced this week, happened when hackers sent phishing emails that looked like they came from within the organization to UnityPoint staff members' business email addresses. Some employees were duped and gave the hackers their login information, thereby letting hackers into their email accounts. The hackers had access to the accounts from March 14 through April 3. Though UnityPoint's electronic health record weren't breached, some of the emails in the accounts had protected health information and personal information in them.
In response, the $4 billion health system notified patients who may have been affected, educated employees about phishing emails, and added digital security tools, including mandatory two-factor authentication.
That information could include patient names, birthdates medical record numbers, medical information, insurance information, and Social Security and driver's license numbers as well as credit card and bank account information.
In April, UnityPoint notified HHS' Office for Civil Rights that hackers breached 16,429 people's information through another email phishing attack.
Through the end of July, there have been 211 breaches reported to the OCR this year, affecting about 4.3 million people. That's up slightly from the same period in 2017, when there were 202 breaches that affected about 3.4 million people.