Cyber Incident Victim: United Health Services of Delaware

On January 18, 2023, a vendor utilized by United Health Services of Delaware identified suspicious activity within its computer system. An investigation into this activity was subsequently launched. The investigation determined that the security incident was the result of a successful email phishing attack. This attack led to the compromise of a single user’s email account credentials. The unauthorized access to this email account provided the threat actor with the ability to view all emails and any file attachments contained within the compromised mailbox. The vendor involved in the incident was not named in the official filing with state authorities.

United Health Services of Delaware, upon being notified by its vendor of the security event, began its own review process. The purpose of this review was to ascertain the nature and scope of the patient information that was accessible within the compromised email account. The company analyzed the affected files to determine precisely which consumers were impacted and what specific types of their data were exposed to the unauthorized party. This forensic analysis confirmed that an unauthorized actor had indeed gained access to sensitive consumer information.

The investigation concluded that the compromised data varied from individual to individual but consisted of a combination of personal identifiers and protected health information. The specific data elements exposed in the incident included the full names of patients. Additionally, patient account numbers and medical record numbers were accessed. Information pertaining to the dates of hospital admission and the dates of discharge was also contained within the breached files. The status of patient diagnoses was another category of health information that was exposed. Furthermore, associated billing amounts, which detail the financial charges linked to medical services, were compromised in the attack. The breach did not involve more extensive financial information such as Social Security numbers, credit card numbers, or banking details, based on the information provided in the official notice.

On May 17, 2023, United Health Services of Delaware formally filed a notice of data breach with the Montana Attorney General’s office. This filing served as the official public acknowledgment of the security incident and its impact on patient data. The same date, May 17, 2023, was also when UHS of Delaware initiated the process of directly notifying the individuals whose information was involved. The company began sending out data breach notification letters via mail to all consumers who were identified as being affected by this incident. These letters were intended to inform recipients that their personal and health information had been compromised as a result of the vendor's email account breach. The notifications provided individuals with details about what specific categories of their data were accessed.

United Health Services of Delaware is a substantial healthcare organization headquartered in King of Prussia, Pennsylvania. The organization operates a vast network of more than 400 hospitals, behavioral health facilities, and ambulatory care centers across multiple jurisdictions. Its operations extend throughout the United States and include locations in Puerto Rico and the United Kingdom. The company is a major employer, with a workforce exceeding 94,000 people. Its annual revenue is approximately $13 billion, indicating the scale of its operations and the vast amount of patient data it manages through its own systems and those of its vendors.

The incident exemplifies a common attack vector targeting the healthcare sector, namely the compromise of a third-party vendor. In this case, the initial breach did not occur on systems directly controlled by UHS of Delaware but rather on the information technology infrastructure of one of its business partners. The vendor’s system was compromised through a phishing attack, a social engineering technique designed to trick an employee into divulging login credentials. The successful phishing attack granted the threat actor persistent access to a single email account, which then served as a repository of sensitive patient data that could be exfiltrated or viewed.

The impact of the breach is directly tied to the highly sensitive nature of the information exposed. The combination of personal identifiers with specific medical and billing information creates a significant risk for the affected individuals. This type of data is highly valued by cybercriminals and can be exploited for various fraudulent activities, including medical identity theft and financial fraud. Medical identity theft can involve using a victim’s identity to obtain prescription drugs, submit fraudulent insurance claims, or receive medical treatment, potentially leading to erroneous entries in a person’s permanent medical history. The disclosure of billing amounts and diagnosis status can also be used for targeted scams or blackmail attempts, adding to the potential harm for victims.

The response timeline indicates a period of approximately four months between the vendor’s initial discovery of suspicious activity on January 18, 2023, and the consumer notification carried out on May 17, 2023. This interval was occupied by the investigation conducted by the vendor, the subsequent review and analysis performed by UHS of Delaware to determine the scope of the impacted data, and the process of identifying and locating all affected individuals to prepare for mailing notifications. The company fulfilled its legal obligation to report the breach to the appropriate government authority, in this case, the Montana Attorney General, and to provide direct notice to the consumers whose data was compromised.

The breach underscores the cybersecurity challenges faced by large healthcare providers that rely on an ecosystem of third-party vendors. These vendors often have access to or store sensitive patient data as part of the services they provide, making them attractive targets for attackers seeking to exploit healthcare information. The incident highlights the critical importance of robust security practices, including employee training against phishing attempts and secure email protocols, not only within the primary healthcare organization but also across its entire chain of vendors and business associates. The compromise of a single vendor email account was sufficient to cause a significant data security incident affecting an unknown number of patients across the extensive network of UHS of Delaware facilities.