Utah Pathology

Utah Pathology Services, operating under the aliases Utah Pathology, UP, and UPA, is a United States-based healthcare organization specializing in pathology services. The company provides diagnostic medical laboratory services, analyzing patient specimens to aid in the diagnosis and treatment of diseases. Its core function involves processing and interpreting clinical samples for physicians and healthcare providers, serving a patient population within the U.S. healthcare system. The organization handles highly sensitive personal health information as a routine part of its operations, including patient names, dates of birth, contact details, insurance identifiers, and specific medical data related to the pathology services performed. For a subset of individuals, Social Security numbers were also maintained within its records, underscoring the nature of the data it manages as a covered entity under health information privacy regulations.

The scale of Utah Pathology Services is evidenced by the significant data breach it experienced on June 30, 2020. This cybersecurity incident involved an unauthorized third party attempting to redirect funds through a compromised email account, though no financial transactions were completed. The forensic investigation determined that the attacker potentially accessed the personal and protected health information of over 110,000 individuals. The breached data elements included the standard patient identifiers and medical information noted above, with Social Security numbers exposed for a smaller group within the affected population. In response to the incident, the organization secured the compromised account, engaged external forensic experts to investigate the scope and impact, and initiated a process to notify all affected patients as a precautionary measure. No confirmed misuse of the accessed information was reported following the breach, and the organization's actions were framed as part of its regulatory and ethical responsibility to inform individuals whose data was potentially exposed. This event highlights the operational reality of managing large volumes of sensitive health data and the incident response protocols employed by the organization when its security is compromised.