Did University of Utah Health really have three phishing incidents this year?
Maybe not.
I was confused when I saw a new listing on HHS’s public breach tool this week. The incident, reported to HHS on July 20, reportedly affected 10,000 patients and involved PHI located in email. As such, it seemed to match an incident that had been reported in early June, but the numbers were different. Becker’s Health Review also seemed uncertain, and changed their earlier headline declaring that U. of Utah Health had had a third data breach to a headline that focused on the number of patients impacted.
DataBreaches.net contacted U. Utah Health to confirm whether there were two phishing incidents this year or three. Kathy Wilets, Director of Public Relations helpfully responded:
This is the third phishing incident we have reported to HHS this year. While all are phishing related, available information makes it difficult to say that they are part of a single coordinated campaign so we are treating them as separate incidents. Access to patient data was limited and we have not encountered any indication that data has been misused in any manner. The reported numbers are estimates and the actual number of affected patients may be lower following the completion of our investigation.
So it sounds like it is not clear to them whether this is all one threat actor or group or not. Either way, they recognized it as a serious problem and took steps to prevent a recurrence. Ms. Wilets also noted that after the June press release, was issued, they implemented dual authentication across their email system to enhance safety.
We’re also in the process of contacting patients by mail, Ms. Wilets explained.