University of Utah Health (U of U Health) announced today that it began notifying patients of recent data security incidents that involved some U of U Health employees' email accounts.
From January 22 to February 27, 2020, U of U Health became aware that there was unauthorized access to some its employees' email accounts. The unauthorized access occurred between January 7 and February 21, 2020. The unauthorized access occurred as a result of phishing schemes sent to the employees' email accounts. Phishing is when an outside party replicates an email from a trusted source and sends it out in the hopes of tricking a person and potentially gaining unauthorized access to confidential information.
When U of U Health learned of this, it quickly secured the email accounts, began an investigation, and engaged a cyber security firm to assist in the investigation. The Investigation determined that some patient information was contained in the email accounts, and may have included names, dates of birth, medical record numbers, and limited clinical information related to care U of U Health provided to patients.
Additionally, on February 3, 2020, U of U Health became aware that a common type of malware may have be placed on an employee's workstation. U of U Health quickly secured that workstation, began an investigation into this incident, and engaged a cyber security firm to assist. The Investigation determined that the malware may have allowed access to some patient information from the employee's email account, including patient names, dates of birth, medical record numbers, and limited clinical information related to care U of U Health provided to patients.
Investigation of these incidents continues to be a complex, time consuming, and highly technical process. The investigation is ongoing but, at this time, U of U Health has no indication that patient information was misused. U of U Health is providing this notice now in an effort to alert its patients and to comply with legal obligations that dictate the timing of such notifications.
U of U Health began mailing letters to patients whose information were contained in the email accounts, and advised those patients to examine the statements for health care services for any discrepancies or services that they did not receive. Those patients were encouraged to report any issues to their medical provider. All patients whose information is included in these incidents will be sent letters over the coming weeks as the investigations conclude.
U of U Health is actively reviewing information protocols, reinforcing information security procedures with employees, and implementing changes where needed to help prevent incidents like these from happening again. Should patients have any questions regarding these incidents, they may call 1-800-737-4152, Monday through Friday 7:00 am to 4:30 pm Mountain Time.