Cyber Incident Victim: UnityPoint Health

On February 15, 2018, UnityPoint Health identified a phishing attack that compromised several employee email accounts. The organization immediately secured the affected accounts, reset passwords, and enlisted external cybersecurity experts to conduct a forensic investigation. Analysis revealed unauthorized access to these accounts occurred between November 1, 2017, and February 7, 2018. The compromised emails contained protected health information, including patient names combined with one or more of the following: dates of birth, medical record numbers, treatment details, surgical information, diagnoses, lab results, medications, provider names, dates of service, and insurance data. A smaller subset of individuals had additional exposure of Social Security Numbers or financial information. No evidence suggested identity fraud or misuse of data directly stemming from the incident at the time of discovery.

UnityPoint Health initiated written notifications to affected patients starting April 16, 2018, mailed to their last known addresses. The organization advised recipients to review health insurance statements for unrecognized services, request year-to-date service reports from insurers, and share insurance cards only with trusted providers or family members. A dedicated toll-free response line (855-331-3612) operated weekdays from 8:00 a.m. to 8:00 p.m. Central Time was established for inquiries. Internal measures included password resets, enhanced security protocols, and ongoing evaluations of cybersecurity practices to strengthen safeguards for personal and health information. UnityPoint Health publicly acknowledged the breach and apologized to impacted individuals while emphasizing its commitment to preventing future incidents through improved security frameworks.