You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

2 Phishing Attacks, 2 Years and $2.8 Million Later

After successful Phishing attacks, patient data was exposed for months.

Iowa's UnityPoint Health System Gets Hit. Hard!

The UnityPoint Health System in Iowa suffered two back-to-back Phishing attacks in 2017 and 2018. After two years of litigation, the health system has reached a $2.8 million settlement with the 1.4 million patients affected.

As a result, the threat actor gained access to the internal email system for nearly a month between March 14 and April 3, 2018.

The second attack lasted less than month, but it cybercriminals stole mountains of data in that time (like here). This was after the first attack lasted 3 months, from November 1, 2017 and February 7, 2018.

The emails contained a trove of patient-related information, from protected health information to Social Security numbers and driver’s licenses.

The lawsuit alleges that UnityPoint took longer than the HIPAA-required 60 day limit for notifying patients of a breach.

Additionally, the plaintiffs claim that health system officials “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”

UnityPoint argued that there was no indication that any of the stolen information has been or will be used for nefarious purposes by the hackers.

The lack of apparent damages has historically prevented lawsuits against breached organizations. Without damages, there is no standing, or so they claimed. It seems this is no longer a valid defense.

A third-party security firm will also be required to conduct an annual assessment of UnityPoint Health’s adherence to its security policies.

This attack turned out to be very painful for patients and UnityPoint's reputation and bank account.

It's time health systems protect their patients and their assets from these attacks.

Are you ready to take action?
You already have a lot on your plate, so we make it easy. Find out how to protect your team with INFIMA's Automated Security Awareness platform.

To get a quote, set up a call with our (non-pushy) team here!

Original article here.

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.