[BreachExchange] 10, 000 patients affected by data breach at University of Utah Health

Destry Winant destry at riskbasedsecurity.com
Thu Jul 30 09:53:53 EDT 2020


https://kutv.com/news/local/information-of-10000-patients-affected-by-data-breach-at-university-of-utah-health

SALT LAKE CITY (KUTV) — Approximately 10,000 patients' information was
affected by a data breach at the University of Utah Health, according
to the U.S. Department of Health and Human Services.

The department states information about the breach was processed on
Monday, July 20.

The health system stated in a press release on June 5 that a breach
occurred between April 6 and May 22. A hacker gained unauthorized
access to some of the U of U health employees’ email accounts as part
of a phishing scheme. In the press release, the U did not specify how
many employees were affected.

At least 10,000 patients' information has been affected by a data
breach at the University of Utah Health, according to the U.S.
Department of Health and Human Services. (Photo: KUTV)

The phishing scheme was sent to employees' email accounts and at least
one employee responded to it, believing the email to be a legitimate
request.

After learning about the incident, email accounts were secured and the
health system opened an investigation.

Patient information including names, dates of birth, medical record
numbers and limited clinical information was in the email accounts,
and may have been exposed.

Spokespeople for U of U Health say the breach was reported by the U in
June, but it was reported by HHS in July.

"The 10,000 was an estimate at that time. We still haven’t finished
the full investigation and the number could be smaller," Kathy Wilets,
a spokesperson for U of U Health, stated in an email to 2News.

U of U health notified patients earlier this year of a similar attack
and "since that time has been working to implement enterprise-wide
security enhancements, including expanded use of multi-factor
authentication," according to a press release.

Patients with questions may call 1-844-994-2107, Monday through Friday
7 a.m. to 4:30 p.m. MT. To review ways to secure your account with the
health system, click here.

Students, faculty and staff at the University of Utah were informed of
another data breach on Wednesday. The following statement, in part,
said:

"On Sunday, July 19, 2020 computing servers in a college at the
University of experienced a security incident. The university has
notified appropriate law enforcement entities and the U's Information
Security Office (ISO) is actively investigating the matter.

As a precautionary measure, on July 29, 2020, students, staff and
faculty at the U were directed to change their university passwords
under certain conditions.

The university cannot offer further details on the nature of this
incident or the scope of its ramifications, pending the conclusion of
the active investigation. In the meantime, the university is working
to protect the data of its faculty, staff, and students and identify
steps to further strengthen IT security."

This second breach was not related to patients at U of U Health.


More information about the BreachExchange mailing list