Cyberattacks at the University of Utah and Highpoint Foot and Ankle Center Impacts 35,000+ Patients’ PHI

The University of Utah has encountered a phishing attack that has possibly affected the protected health information (PHI) of around 10,000 patients. This is the University of Utah’s 4th security breach report to be sent to the Department of Health and Human Services in 2020. All four cases are reported as hacking/IT incidents that involve email. The past breach reports were sent in on June 8, 2020 (affecting 1,909 people), April 3, 2020 (affecting 5,000 people), and March 21, 2020 (affecting 3,670 people).

Unauthorized people obtained access to worker email accounts from January 22, 2020 to May 22, 2020, as per the substitute breach notice published on the health website of the University of Utah. It is not clear at this point whether the most recent breach report likewise involved obtaining access to worker email accounts in a similar period of time.

Kathy Wilets, the University of Utah Health Director of Public Relations, presented an announcement to revealing that the phishing attacks were being considered as distinct incidents but could have been a part of a synchronized plan. She stated the most recent incident possibly involved gaining access to a restricted amount of patient data. The number of people impacted of 10,000 is an approximation. The investigation might show a lesser number of people were impacted. Action has since been undertaken to enhance email security, which includes the use of 2-factor authentication.

Ransomware Attack on Highpoint Foot and Ankle Center Impacts 25,554 Patients

Highpoint Foot and Ankle Center located in New Britain Township, PA experienced a ransomware attack last May 2020 wherein the attackers encrypted and possibly obtained or exfiltrated patient data. Highpoint Foot and Ankle found out the ransomware attack last May 20, 2020 when employees were held back from obtaining specific records on the system.

The investigation began and uncovered that an unauthorized individual had installed ransomware remotely on its computer networks. There is no proof found that indicate the attacker obtained patient information prior to encrypting the data files. There was likewise no report obtained that indicate the improper use of patient information.

A third-party computer forensics company was employed to help with the investigation and established that the potential exposure of files that contain 25,554 patients’ PHI. The files included names, birth dates, addresses, social security numbers, diagnoses, treatment data, and release states.

Extra safety measures have now been enforced to safeguard patient files and all patients impacted by the ransomware attack already got notified by mail.