Dive Brief:
- After UnityPoint Health last week notified 1.4 million people that their names, addresses, medical information — and in some instances driver's license and Social Security numbers and payment information — may have been compromised between March 14 and April 3, a lawyer who filed a class action suit on behalf of two patients affected by an earlier breach is now considering additional action.
- The Des Moines, Iowa-based nonprofit health system's network was breached when employees opened emails disguised to look like they came from a company official. UnityPoint discovered the problem May 31, and has launched an investigation with an outside cybersecurity firm to determine the size and scope of the attack.
- In April, UnityPoint notified 16,400 people their information was at risk because of a phishing attack that could date back to November.
Dive Insight:
Providers continue to struggle with cybersecurity, and phishing expeditions are a frequent culprit. They can result in a painful hit to a company's bottom line and negative publicity exacerbated by lawsuits. Healthcare organizations spend more than $400 per record lost or stolen after a data breach, the highest of any industry reviewed in a recent analysis by IBM Security.
A study by Accenture and the American Medical Association found four out of five doctors have experienced a cybersecurity attack. The majority involved phishing, followed by computer viruses.
In a Mimecast and HIMSS Analytics survey, providers ranked email the No. 1 source of potential data breaches. More than 90% of respondents said email was critical to their organization, and eight in 10 said they use it to send personal health information, typically to other providers.
Moreover, 78% of respondents said they had experienced a ransomware or malware attack in the past year and nearly one-fourth reported 16 or more attacks in that time period.
Last summer, cybersecurity experts identified a ransomware strain, called Defray, which targets healthcare organizations and spreads via a Microsoft Word attachment in emails sent to potential victims. The messages are designed to appear to come from a trusted source.
Still, eight in 10 healthcare organizations lack a chief cybersecurity officer to manage network security across the enterprise, according to a Black Book Market Research survey released in December. More than half of respondents admitted they don't conduct routine risk assessments of cyber vulnerabilities.
Since the latest attack, UnityPoint said it has reset the passwords for all compromised accounts and conducted mandatory training for employees on how to recognize and avoid phishing emails. The company has added technology to detect suspicious emails and implemented multifactor authentication.