After successful Phishing attacks, patient data was exposed for months.
The UnityPoint Health System in Iowa suffered two back-to-back Phishing attacks in 2017 and 2018. After two years of litigation, the health system has reached a $2.8 million settlement with the 1.4 million patients affected.
As a result, the threat actor gained access to the internal email system for nearly a month between March 14 and April 3, 2018.
The second attack lasted less than month, but it cybercriminals stole mountains of data in that time (like here). This was after the first attack lasted 3 months, from November 1, 2017 and February 7, 2018.
The emails contained a trove of patient-related information, from protected health information to Social Security numbers and driver’s licenses.
The lawsuit alleges that UnityPoint took longer than the HIPAA-required 60 day limit for notifying patients of a breach.
Additionally, the plaintiffs claim that health system officials “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”
UnityPoint argued that there was no indication that any of the stolen information has been or will be used for nefarious purposes by the hackers.
The lack of apparent damages has historically prevented lawsuits against breached organizations. Without damages, there is no standing, or so they claimed. It seems this is no longer a valid defense.
A third-party security firm will also be required to conduct an annual assessment of UnityPoint Health’s adherence to its security policies.
This attack turned out to be very painful for patients and UnityPoint's reputation and bank account.
It's time health systems protect their patients and their assets from these attacks.