Another phishing attack on the University of Utah Health resulted in the compromise of 2,700 patients’ protected health information (PHI).
This is the University of Utah’s third phishing incident to be reported to the HHS’ Office for Civil Rights this year. The University reported the first incident on March 21, which affected 3,670 patients and the second incident on April 3, which affected 5,000 patients.
In the most recent attack, an unauthorized person accessed employee email accounts from April 6 to May 22, 2020 after responding to phishing emails. The University secured the email accounts promptly and launched an investigation to find out if the attackers accessed patients’ PHI.
The investigators were unable to ascertain if there was access or exfiltration of PHI, however, the accounts indeed consist of some PHI which was possibly viewed. After analyzing the emails and attachments included in the compromised accounts, it was confirmed that the accounts contained names, birth dates, medical record numbers, and certain clinical data pertaining to the medical services given at the University of Utah Healthcare facilities.
The investigation of the incident is still in progress, however, up to now, there is no evidence that indicates the theft of any PHI by the attackers and there are no reports received that suggest the misuse of PHI. On June 5, 2020, the University already began sending notification letters to the affected patients.
In the University of Utah Health’s substitute breach notice, it mentioned that it is reviewing the information of its security protocols. Security procedures will be strengthened and employee’s resilience to phishing attacks will undergo improvements. The entire enterprise will implement security enhancements including the use of multi-factor authentication to avert future email account access in case of a compromise of credentials.