PHI of 326,000 Patients Exposed Due to UConn Health Phishing Attack

UConn Health is informing around 326,000 patients regarding the exposure of some of their personal data because of a phishing attack on several of UConn Health employees.

UConn Health discovered the phishing attack on December 24, 2018 and secured all email accounts. An internal investigation confirmed that the breach involved the access of several email accounts by unauthorized persons.

A third-party computer forensics firm assisted the investigation of the phishing attack and analyzed the compromised accounts for the protected health information contained in emails and file attachments. It can’t be determined who was behind the phishing attack. It can’t be known as well if the attacker(s) viewed the emails or the email attachments in the affected accounts. Nevertheless, PHI access cannot be ruled out. UConn Health mentioned in its substitute breach notice that there is no report received thus far that would indicate the misuse of any patient data.

The attack had the most impact on patients, though a number of employees’ personal information were also exposed. The compromised email accounts contained limited information including names, addresses, birth dates, and certain clinical data, for example consultation dates and billing details. About 1,500 Social Security numbers were likewise potentially exposed.

UConn Health already notified by mail all patients who potentially had their PHI accessed by the attackers. The patients whose Social Security numbers were exposed also received offers of complimentary identity theft protection services.

UConn Health is updating its technical controls to avoid other phishing attacks and is also assessing the need for further security training to better teach employees about phishing and other cyber threats.

The University of Connecticut, in fact, cautioned students late in January to be careful regarding the risk of phishing attacks subsequent to a large number of spam and phishing emails that students received over the last few months, including some from an impersonated UConn mail service. It is not clear though if the warning had something to do with the email breach that happened at UConn Health.