ÑÇÖÞ×ÔοÊÓƵ of Utah ÑÇÖÞ×ÔοÊÓƵ (U of U ÑÇÖÞ×ÔοÊÓƵ) announced today that it began notifying patients of recent data security incidents that involved some U of U ÑÇÖÞ×ÔοÊÓƵ employees' email accounts.
From January 22 to February 27, 2020, U of U ÑÇÖÞ×ÔοÊÓƵ became aware that there was unauthorized access to some its employees' email accounts. The unauthorized access occurred between January 7 and February 21, 2020. The unauthorized access occurred as a result of phishing schemes sent to the employees' email accounts. Phishing is when an outside party replicates an email from a trusted source and sends it out in the hopes of tricking a person and potentially gaining unauthorized access to confidential information.
When U of U ÑÇÖÞ×ÔοÊÓƵ learned of this, it quickly secured the email accounts, began an investigation, and engaged a cyber security firm to assist in the investigation. The Investigation determined that some patient information was contained in the email accounts, and may have included names, dates of birth, medical record numbers, and limited clinical information related to care U of U ÑÇÖÞ×ÔοÊÓƵ provided to patients.
Additionally, on February 3, 2020, U of U ÑÇÖÞ×ÔοÊÓƵ became aware that a common type of malware may have be placed on an employee's workstation. U of U ÑÇÖÞ×ÔοÊÓƵ quickly secured that workstation, began an investigation into this incident, and engaged a cyber security firm to assist. The Investigation determined that the malware may have allowed access to some patient information from the employee's email account, including patient names, dates of birth, medical record numbers, and limited clinical information related to care U of U ÑÇÖÞ×ÔοÊÓƵ provided to patients.
Investigation of these incidents continues to be a complex, time consuming, and highly technical process. The investigation is ongoing but, at this time, U of U ÑÇÖÞ×ÔοÊÓƵ has no indication that patient information was misused. U of U ÑÇÖÞ×ÔοÊÓƵ is providing this notice now in an effort to alert its patients and to comply with legal obligations that dictate the timing of such notifications.
U of U ÑÇÖÞ×ÔοÊÓƵ began mailing letters to patients whose information were contained in the email accounts, and advised those patients to examine the statements for health care services for any discrepancies or services that they did not receive. Those patients were encouraged to report any issues to their medical provider. All patients whose information is included in these incidents will be sent letters over the coming weeks as the investigations conclude.
U of U ÑÇÖÞ×ÔοÊÓƵ is actively reviewing information protocols, reinforcing information security procedures with employees, and implementing changes where needed to help prevent incidents like these from happening again. Should patients have any questions regarding these incidents, they may call 1-800-737-4152, Monday through Friday 7:00 am to 4:30 pm Mountain Time.