Iowa Health Group Data Breach Hits 1.4 Million PatientsUnityPoint Health Says Hackers' Likely Goal Was Business Email Compromise Fraud
A large Midwestern health network says a successful phishing campaign exposed a raft of personal and medical data stored in its email systems. But it says that the information exposure appears to have been an unintentional byproduct of an attempt to divert corporate payments via what's known as business email compromise or CEO fraud.
UnityPoint Health, which runs more than 50 clinics in Iowa with 290 physicians and other providers, says it began notifying breach victims by mail on Monday. The Des Moines Register reports that 1.4 million patients are being notified.
If the Department of Health and Human Services confirms details, the UnityPoint incident would be the largest health data breach reported to federal regulators so far in 2018, according to a July 31 snapshot of the HHS HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists reports of HIPAA breaches impacting 500 or more individuals (see Health Data Breach Tally: Lots of Hacks, Fewer Victims).
The exposed data was contained in UnityPoint Health employees' email accounts. On May 31, UnityPoint Health discovered that attackers had sent phishing emails, or messages designed to look like legitimate emails, to employees that purported to "come from a trusted executive within our organization," the organization says.
"The phishing emails tricked some of our employees into providing their confidential sign-in information, which gave attackers access to their internal email accounts between March 14, 2018, and April 3, 2018," UnityPoint Health says in a four-page advisory.
The email accounts accessed by the attackers contained attachments with protected health information and personal information for patients, UnityPoint Health says.
The exposed data may have included addresses, birth dates, medical record numbers, medical and treatment information, diagnoses, lab results, medications, providers, dates of service and insurance information. Some of those affected may have had their Social Security numbers, driver's license numbers, payment cards or bank account numbers exposed.
Likely Motivation: Diverting Payments
UnityPoint Health, outside digital forensic investigators and law enforcement officials suspect that the attack wasn't aimed at extracting personal data.
"The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization rather than on obtaining patient information," the company says. "Based on our investigation, we believe the perpetrators were trying to use the email system to divert payroll or vendor payments."
That style of attack is often referred to as business email compromise. Once attackers compromise email accounts inside an organization, they study the authorizations and procedures that are used to complete payments.
Once that structure is understood, the attackers intercede, changing invoices in order to direct funds to account they control. The attacks are low tech, but devastating. The FBI estimated last month that BEC attacks have costs victims at least $12.5 billion over the past five years (see FBI: Global Business Email Compromise Losses Hit $12.5 Billion).
"The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization rather than on obtaining patient information."
"While unauthorized access to patient data may have occurred, no known or attempted misused of patient data has been reported at this time," UnityHealth says.
Still, health records are some of the most valuable data traded in underground markets. A study released by security firm Trend Micro in February 2017 says the records often contain a rich amount of data that can be applied to various types of fraud.
"One way that individuals are affected by a breach is when stolen personal data are used by cybercriminals to procure drugs, commit tax fraud, steal identities and commit other fraudulent acts," according to Trend Micro's report.
UnityPoint says it is offering one year of credit monitoring services to those whose Social Security numbers or driver's license numbers were expose; those services aren't being offered to those who only had health information exposed.
Second Phishing Attack
UnityPoint Health's post-breach response gives some clue as to why these phishing attacks, despite being unsophisticated, continue to be so successful.
The company says it has now implemented multifactor authentication in order to access systems. That usually involves entering a one-time passcode or inserting a special security key in a computer to access an account.
Multifactor authentication isn't perfect, and phishers can still attempt to collect one-time passcodes that are sent over SMS or entered into web-based forms. But experts say the defensive measure is highly effective at stopping most phishing attacks.
The company has also reset the passwords of the compromised accounts and added "technology to identify suspicious external emails."
Those efforts to bolster security may have come too late, because this was the second phishing incident the company has disclosed this year. In April, the organization notified 16,400 patients of a separate phishing attack that affected its systems.
"Law enforcement agencies report dramatic increases in attacks on business email systems," UnityPoint Health says. "Often carried out by international criminal organizations, these highly sophisticated attacks utilize complex schemes that are constantly evolving."