UnityPoint Health, which runs more than 50 clinics in Iowa with 290 physicians and other providers, says a successful phishing campaign exposed patients’ personal and medical data stored in its email systems. It appears the information exposure is an unintentional byproduct of an attempt to divert payroll or vendor payments via what’s known as business email compromise or CEO fraud.
UnityPoint Health began notifying breach victims by mail on Monday. The Des Moines Register reports that 1.4 million patients are being notified.
If the U.S. Department of Health & Human Services (HHS) confirms these details, this incident would be the largest health data breach reported to federal regulators so far in 2018, according to a July 31 snapshot of the HHS’s HIPAA breach reporting website, also referred to as “the wall of shame.”
To read more about how the phishing attack was pulled off, click here.