The UnityPoint Health breach: Phishing for sensitive information

The UnityPoint Health breach: Phishing for sensitive information

On 31 May 2018, UnityPoint Health, a US-based healthcare provider organisation, discovered their business email system was compromised due to a phishing attack (UnityPoint Health, 2018). This was the second phishing attempt to be reported by UnityPoint Health in 2018 (HIPAA Journal, 2018).

A statement issued by UnityPoint Health states that the organisation was targeted by several emails that seemed to be sent by a trusted executive within the organisation. The fraudulent emails tricked employees into handing over confidential sign-in information. With this information, the hackers gained access to accounts, emails and email attachments. It is possible that protected health information or personal information was accessed (Donovan, 2018; UnityPoint Health, 2018). Based on their investigations, UnityPoint considers financial gain the most likely motivation. It seems the hackers tried to gain access to divert payroll or vendor payments, as opposed to gaining access to health information or patient information.

While likely not the main objective, the attack potentially compromised the records of around 1.4 million patients, making it the biggest healthcare data breach of 2018. Information such as names, dates of birth, medical diagnoses, and types of medical or treatment-related information, may have been compromised. In some cases, social security numbers, driver’s license numbers and credit or debit numbers were in the compromised files (Donovan, 2018).

As a result of this attack, UnityPoint Health has undertaken the following steps to prevent similar events from happening in the future. First, they reset passwords for all compromised accounts. Second, they implemented mandatory training for staff to learn how to recognise and avoid phishing attempts. Third, the organisation has purchased technology that will help identify suspicious (external) emails, and, finally, they have adopted multi-factor authentication for accessing their systems (UnityPoint Health, 2018).

These measures are appropriate to address a phishing attack after the fact and to hopefully prevent a future attack from being successful. However, since this was the second attack UnityPoint Health faced in 2018, they are likely to be investigated by the Department of Health and Human Services’ Office for Civil Rights. If this is the case and the investigation finds UnityPoint Health liable, the organisation may face a large fine on top of the costs caused by resolving issues connected directly to the phishing attacks (HIPAA Journal, 2018).


Donovan, F. (2018, July 31). Phishing Attack Exposes PHI of 1.4M UnityPoint Health Patients. Retrieved 30 September 2019, from HealthITSecurity website:

HIPAA Journal. (2018, July 31). 1.4 Million Patients Warned About UnityPoint Health Phishing Attack. Retrieved 30 September 2019, from HIPAA Journal website:

UnityPoint Health. (2018, August 1). Security Substitute Notification.pdf. Retrieved 30 September 2019, from