background image


Case Study: UnityPoint Health Breach


UnityPoint Health, a multi-hospital group who serves Iowa, Illinois, and Wisconsin, is now entertaining the unfortunate task of informing over 1.4 million patients to the second data breach the organization has suffered this year alone. To be clear, it’s not just the second breach; it’s the second breach initiated through a phishing attack.

The first breach, in April of this year, had employee email accounts phished which lead to the compromise of birth dates, Social Security numbers, medical record numbers, treatment information, diagnosis data, lab results, medications, providers, insurance information and important medical appointments.

The second breach also targeted employees, while adding debit/credit card payment information to the already staggering list of exposed information.

According to the release to patients, the UnityPoint Health’s business email system was hit by a series of targeted phishing attacks that appeared to be sent from a high-level executive at UnityPoint Health to employees. One, you read that right, one employee fell for the attack, granting hackers full access to all internal email accounts from March 14th to April 3rd.

After a forensic investigation, law enforcement believes the attack was financially motivated; with hackers likely trying to use the email system to divert vendor or payroll payments for their financial gain.

In response to the breach, UnityPoint states they have implemented a multi-factor authentication system to verify the users before accessing their accounts. Besides this, the organization has reset all passwords of the compromised accounts, conducted mandatory phishing education to all employees and added additional security tools to aid in the identification of suspicious emails.

Unfortunately, as they say in medicine, prevention is always superior to a cure. UnityPoint is now faced with two class-action lawsuits that will inevitably cost the organization far more than any preventative cyber-security measures that should have been taken years earlier.

At Packetlabs, it’s our firm belief that information security, in any organization, should be considered as integral as insurance where risk is involved. Contact us to learn more about how we can help.