Data breach reported at UnityPoint Health

Letters sent on Monday to people affected by the attack

Personal information about 1.4 million patients of UnityPoint Health may have been exposed as a result of an attack on the organization’s email system, leaders of the health care organization reported Monday.

UnityPoint Health sent letters on Monday to people affected by the security breach. The organization publicly revealed the problem Monday.

“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred,” UnityPoint Health officials wrote in a statement.

The breach occurred between March 14 and April 3, according to UnityPoint Health. It was discovered May 31.

UnityPoint Health officials say that so far no one has reported any known or attempted misuse of personal information that could be related to the incident.

Those responsible for the email attack were probably trying to get money from UnityPoint Health and were not trying to get patients’ personal information, according to the health care organization.

“Based on our investigation, we believe the perpetrators were trying to use the email system to divert payroll or vendor payments,” UnityPoint Health leaders wrote in a statement about the incident.

UnityPoint Health owns Trinity Regional Medical Center in Fort Dodge, plus clinics and other medical facilities in Fort Dodge and the surrounding area. The security breach apparently affects UnityPoint Health facilities throughout Iowa, Illinois and Wisconsin.

The incident is being investigated by law enforcement and a computer forensics firm. That investigation revealed that UnityPoint Health received a series of fraudulent emails that were made to look as if they came from an executive in the health care system. Those emails tricked some employees into revealing their confidential sign-in information. That gave the attackers access to email accounts.

After getting access to the system, the attackers may have seen emails that contained patient names, addresses, birth dates and medical information, according to UnityPoint Health.

In some cases, they may have received access to Social Security numbers, driver’s license numbers, payment card numbers and bank account numbers.

UnityPoint Health will offer free credit monitoring services to for one year to anyone whose Social Security number or driver’s license numbers were in the compromised emails.

To prevent such an attack from succeeding again, UnityPoint Health has reset the passwords for all compromised email accounts, conducted mandatory training for employees, added technology to identify suspicious emails and implemented a system that requires users to go through multiple steps to access the email system.

The electronic medical records system and the patient billing system were not impacted by the attack.