WEST DES MOINES, Iowa–A large health network here is reporting a data breach it says is the result of a successful phishing attempt.
But it isn’t believed patient data is what the thieves were after, according to the company, which says significant personal and medical data on as many as 1.4 million patients has been exposed.
According to UnityPoint Health, which operates more than 50 health clinics in Iowa, the data exposed was included in the email accounts of employees. In May, the company said it discovered the scammers had been sending phishing emails to employees, according to the Des Moines Register. The emails appeared to be from an executive with the company.
"The phishing emails tricked some of our employees into providing their confidential sign-in information, which gave attackers access to their internal email accounts between March 14, 2018, and April 3, 2018," UnityPoint Health said in a statement.
The email accounts accessed by the attackers contained attachments with protected health information and personal information for patients, UnityPoint Health reported.
In addition to personally identifiable data and health data, some people may have also had Social Security numbers, driver's license numbers, payment cards or financial account numbers exposed.
The Real Objective
But the company also indicated it suspects it wasn’t patients’ personal information that the thieves were seeking.
"The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization rather than on obtaining patient information," the company said in a statement. "Based on our investigation, we believe the perpetrators were trying to use the email system to divert payroll or vendor payments."
UnityPoint says it is offering one year of credit monitoring services to those whose Social Security numbers or driver's license numbers were exposed; those services aren't being offered to those who only had health information exposed.