The University of Utah Health is notifying patients whose protected health information was in some employees’ email accounts after they fell for a phishing attack.
The following is a notice posted on their website March 20th:
We are committed to protecting the confidentiality of our patients’ information. Regrettably, this notice is regarding an incident involving some patients’ information. This notice explains the incident, measures we have taken, and some steps you can take in response.
From January 22 to February 27, 2020, we became aware that there was unauthorized access to some employees’ email accounts. This unauthorized access occurred between January 7 and February 21, 2020. The unauthorized access occurred as a result of phishing schemes sent to the employees’ email accounts. Phishing is when someone replicates an email from a trusted source and sends it out in hopes of tricking a person and gaining unauthorized access to the email account. We quickly secured the email account, began an investigation, and engaged a cybersecurity firm to assist. Our investigation determined that some patient information was included in the email account, including names, dates of birth, medical record numbers, and limited clinical information about care received at University of Utah Health.
Additionally, on February 3, 2020, we became aware that a common type of malware may have been placed on an employee’s workstation. We quickly secured that workstation, began an investigation into this incident, and engaged a cybersecurity firm to assist. The investigation determined that the malware may have allowed access to some patient information from the employee’s email account, including patient names, dates of birth, medical record numbers, and limited clinical information related to the care U of U Health provided to patients.
Notification Letters
Our investigations into these incidents is ongoing. However, we have no indication any information has been misused. In an abundance of caution, we began mailing notification letters to patients on March 20, 2020 and have established a dedicated call center to answer questions our patients may have. We recommend patients review the statements they receive from their healthcare providers. If there are discrepancies or services that you did not receive, please contact the provider immediately.
We deeply regret any concern or inconvenience this may cause our patients. We are actively reviewing information protocols, reinforcing information security procedures with our employees and implementing changes where needed to help prevent an incident like this from happening again.
Questions or Concerns
If you have questions about this incident or believe you may have been impacted and do not receive a letter by April 30, please call 1-800-737-4251, Monday through Friday, 7:00 am to 4:30 pm Mountain Time.