Cyber Incident Victim: Utah Pathology

On June 30, 2020, Utah Pathology Services identified suspicious activity involving an unknown third party attempting to redirect funds through their systems. The organization clarified that this incident did not involve the compromise of patient information or the successful completion of unauthorized financial transactions. Upon detecting the attempted fraud, Utah Pathology promptly secured the affected email account to prevent further unauthorized access. The organization initiated an internal investigation supported by independent IT security and forensic experts to assess the scope of potential system intrusions and data exposure. This investigation aimed to determine whether sensitive information had been accessed during the breach window and to identify the specific systems impacted by the unauthorized activity.

The forensic examination revealed that personal information belonging to certain patients had been accessible to the unauthorized party during the incident. Exposed data included patient names combined with one or more of the following attributes: dates of birth, gender identifiers, phone numbers, physical and email addresses, insurance identification and group numbers, internal medical record numbers, and clinical diagnostic information related to pathology services. A limited subset of affected individuals—described as a small percentage of the total—also had Social Security numbers exposed. While investigators found no evidence of actual misuse of patient data, Utah Pathology opted to notify approximately 112,000 potentially impacted individuals as a precautionary measure. The organization began mailing individualized notification letters to affected patients, directing them to informational resources about the breach. Ongoing monitoring for fraudulent activity related to the exposed data was implemented, though the investigation remained active to finalize the full technical and operational details of the security event.