WATERLOO — More than a million patients of UnityPoint Health might have had health or personal information exposed, including Social Security and financial information, during a recent email phishing scam, company officials said Monday.

Approximately 1.4 million patients may have had their information compromised during a cyberattack that gave access to internal email accounts between March 14 and April 3, according to privacy officer RaeAnn Isaacson.

The company notified every patient who may have been affected, UnityPoint said.

“We take our responsibility to protect patient information very seriously and deeply regret this incident occurred,” Isaacson said in a press release. “While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened.”

The attack was discovered May 31, and company officials went to law enforcement and launched their own investigation “with an expert computer forensics firm” to determine the scale of the attack, according to UnityPoint’s press release.

Company officials say some employees were tricked into providing login information, giving internal email access to attackers.

Most of that information was personal and health-related, but Social Security or driver’s license numbers may have been compromised for some individuals, and bank account numbers or credit card numbers may have been compromised for “a limited number of individuals,” company officials said.

For those people whose Social Security or driver’s license numbers were affected, UnityPoint is offering free credit monitoring services for one year, and noted patients should remain vigilant in reviewing account and health care statements for irregularities. They also have a helpline people can call with questions at (888) 266-9285.

UnityPoint reset passwords for all compromised accounts, implemented multi-factor authentication for users, added technology to help identify suspicious emails and conducted “mandatory education” for employees after the breach.

“We continue to work closely with leading experts to learn from our experience and help our organization — and other health care organizations — prevent these kinds of cybercrimes,” Isaacson said.

It’s not the first time employees have unwittingly let phishers in: In April, company officials discovered their email system was compromised by a phishing attack between Nov. 1 and Feb. 7. In that instance, about 16,400 people potentially had Social Security numbers and other financial information exposed.

UnityPoint Health is the 13th largest nonprofit health system in the country, with hospitals in Iowa, Illinois and Wisconsin.

Get local news delivered to your inbox!

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Load comments