Paubox blog: HIPAA compliant email made easy

Iowa Health System d/b/a UnityPoint Health suffers HIPAA email breach - again!

Written by Seiji Iwasaki | August 20, 2018

On July 30, 2018, UnityPoint Health submitted a  HIPAA Email Breach to the  U.S. Department of Health and Human Services (HHS). Based in West Des Moines, Iowa, UnityPoint Health’s email breach affected 1,421,107 individuals’ protected health information.

This breach is the biggest breach of 2018 so far. UnityPoint Health is classified as a  Business Associate.

According to UnityPoint Health’s  statement given to the Des Moines Register:

UnityPoint Health officials said hackers used “phishing” techniques to break into the company’s email system. The company, based in West Des Moines, said the hackers could have obtained medical information, such as diagnoses and types of care, that was included in emails.

"While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information,” RaeAnn Isaacson, UnityPoint’s privacy officer, said in a press release Monday.

The hackers also might have obtained some patients’ financial information, such as bank account numbers, UnityPoint said.

The hackers used official-looking emails to obtain employees’ passwords, leading to the breach, the company said. The company said after it discovered the problem May 31, it hired outside experts and notified the FBI. 

UnityPoint said it doesn’t believe the hackers were after private health information. It suspects they wanted to divert payments, such as for payroll or outside business expenses. Still, the company is asking patients to keep close track of account statements for signs of fraud, such as inappropriate charges included in an “explanation of benefits.”

This is the second HIPAA email breach reported by UnityPoint.  UnityPoint's first HIPAA email breach occurred back in April 16 of this year.

 

UnityPoint Health Email Platform

We did an MX record lookup for UnityPoint Health and determined they are using Microsoft 365 as their email platform. We have seen an alarming number of Microsoft 365 customers reporting HIPAA Email Breaches in 2018.

 

HHS Wall of Shame

The  HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured  protected health information affecting 500 or more individuals.

 

HIPAA Breach Report

The  Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.

 

Try Paubox Email Suite for FREE today.