On Friday, the University of Utah Health (U of U Health) announced a data breach of medical patient information among other data due to a phishing attack.
U of U Health Breach Timeline of Events
The incident reportedly began on January 7th when at least one employee opened a phishing email which loaded malware onto a computer. The hackers presumably used this malware to steal credentials to multiple email accounts (the exact number of accounts is not specified in the release).
U of U Security “became aware that there was unauthorized access to some its employees’ email accounts” on January 22 and opened an investigation. On February 3rd, the security team discovered the workstation with malware present.
During the investigation, investigators discovered patient health information in email accounts. This led officials to release a notification on March 20.
The release did not indicate an exact number of affected people, but it appears to be fewer than 500. If 500 or more people’s information was involved, the U.S. Department of Health and Human Services Office for Civil Rights would have opened an investigation and reported it on their breach portal. No breach report is found for this incident as of March 21, 2020. As the investigation continues, it’s possible but less likely additional patient information will be affected.
But the big part of the story that’s missing from the U of U statement or news stories is how this was not a big breach. As I mentioned on Twitter earlier today the U of U’s information security team are the unsung heroes. The headlines did not read “750,000 patient records breached” because the U of U’s information security team was able to stop the leak before it became a hemorrhage. Kudos to the team!
The news release states, “Investigation of these incidents continues to be a complex, time consuming, and highly technical process.” This is quite true. It takes a lot of time to put together the pieces of a puzzle from many disparate pieces of information. Because this involved email accounts, it’s possible people had to check through all the emails to see who’s health information was compromised. Although the investigation is not complete, various state data breach laws required a breach notification.
The statement also reads, “U of U Health has no indication that patient information was misused.” Statements like these are irrelevant and are what lawyers use to directly address breach laws such as in Utah’s weak consumer data protection law:
If an investigation…reveals that the misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur, the person shall provide notification to each affected Utah resident.Utah Code 13-44-202 (1)(a) https://le.utah.gov/xcode/Title13/Chapter44/13-44-S202.html
U of U Health’s Previous Major Breach
In June 2008, thieves stole backup tape containing 1.5 million patient records from a courier’s vehicle. The thieves were ultimately caught and sentenced to 60 days and 1 year in jail. The incident ultimately cost $500,000 for credit monitoring and notification letters alone.
Phishing and Breaches Hitting Utah Hard
This breach is the latest in a series of medical breaches hitting Utah health providers. Since 2018, about 16% of Utah citizens have had their health information compromised in data breaches.
U of U Health is not the first Utah organization to have protected health information breach involving email. On two separate occasions in 2018, hackers broke into the email accounts of HealthEquity, Inc. employees that resulted in a health data breach of 181,800 customers.
Phishing attacks against Utah organization are on the rise. Utah workers may recognize the phishing campaign from last year requesting money or gift cards that begin with a phrase such as “Are you available?” The campaign drew advisories from Weber State, Brigham Young University, the Salt Lake City Schools Board of Education, and many others across the nation including those in the West like Boise State. Recently, phishers are taking advantage of the recent COVID-19 crisis by crafting messages related to the Coronavirus to entice people.
To protect against phishing, be weary of unsolicited emails, ask your employer for training, and follow the tips from the Department of Homeland Security.
3/21/2020 Update to include past data breach information.