The DesMoines Register reports:
One of Iowa’s main hospital and clinic systems has notified about 1.4 million patients that their personal information might have been breached.
UnityPoint Health officials said hackers used “phishing” techniques to break into the company’s email system. The company, based in West Des Moines, said the hackers could have obtained medical information, such as diagnoses and types of care, that was included in emails.
Read more on the Des Moines Register.
UnityPoint’s web site has a notice and substitute notification. The former reads:
UnityPoint Health recently notified patients of a phishing email attack which compromised our business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients.
We take our responsibility to protect patient information very seriously and deeply regret this incident occurred. Upon learning of this attack, we informed law enforcement authorities and launched an investigation with an expert computer forensics firm. We have taken a number of important steps to further protect our system and prevent similar situations from happening in the future.
We want to help our patients understand what happened and what it means for them. This site provides information from the patient notification letter and answers to frequently asked questions (FAQs). If you received a notification letter and have questions, or to determine if you may be affected, you may call our toll-free help line at (888) 266-9285. The help line is staffed by professionals familiar with this incident and knowledgeable about what you can do to protect against misuse of your information. The help line is available Monday through Friday, 8 a.m. to 8 p.m. Central Time.
Their substitute notice appears below: