UnityPoint security breach puts records of 1, 800 patients at risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://thegazette.com/2013/10/02/unitypoint-security-breach-puts-records-of-1800-patients-at-risk/

Personal information of 1,800 UnityPoint Health patients, including about
350 patients in the Cedar Rapids area, may be at risk following a security
breach in the network’s electronic medical record.

Hospital employees discovered the breach Aug. 8 during a regular security
audit, UnityPoint Spokeswoman Laura Sinnard said. They traced the breach
back to an authorized user who gave the log-in and password information to
someone else, who tapped into the records with high enough frequency to
raise red flags during the audit, Sinnard said.

UnityPoint forced a password reset and reported the breach to the FBI,
which is investigating.

Information that may have been accessed for affected patients includes
names, home addresses, dates of birth, Social Security Numbers, medical
account numbers, health insurance account numbers and Driver’s License
Numbers, health information about patient treatment, and information about
the patient’s financially-responsible party.

The unauthorized access occurred from February through August for patients
across the state.

UnityPoint sent letters to all affected patients and is offering credit
monitoring and identity-protection assistance to those affected. So far, no
one has reported any fraud or theft, Sinnard said.

Authorized users of the UnityPoint Health Electronic Medical Record (EMR)
are being provided additional education on existing procedures, including
the importance of safe-guarding their password, Sinnard said.

“We do take the security of our patient information very seriously,” she
said.

Des Moines-based UnityPoint Health, which includes St. Luke’s Hospital in
Cedar Rapids, is a system of 30 hospitals and 280 physician clinics, as
well as home care services in Iowa and Illinois. The network was called
Iowa Health System before an April name change.

Neither party involved in the security breach is a UnityPoint employee, but
the authorized user had access as part of the network partnerships, Sinnard
said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.