June 5, 2020 - University of Utah Health (U of U Health) announced today that it is notifying patients of some recent data security incidents that impacted some U of U Health employees' email accounts.
From April 7 to May 22, 2020, U of U Health learned there was unauthorized access to some of its employees' email accounts. Access to affected accounts occurred between April 6, and May 22, 2020, with U of U Health taking prompt action to secure each affected account shortly after identifying the unauthorized access.
The unauthorized access occurred as a result of phishing schemes sent to the employees' email accounts and which those employees responded to believing them to be legitimate requests. Phishing is when outside party replicates an email from a trusted source and sends it out in the hopes of tricking a person to respond and potentially gaining unauthorized access to the email accounts.
When U of U Health learned of these incidents, it quickly secured the email accounts and began to investigate. The investigations determined that some patient information was contained in the email accounts, which may have included patient names, dates of birth, medical record numbers, and limited clinical information related to the care patients received at U of U Health facilities. U of U Health notified patients earlier this year of similar attacks and since that time has been working to implement enterprise-wide security enhancements, including expanded use of multi-factor authentication, while also responding to the resource demands presented by the COVID-19 pandemic.
The investigations into these incidents are ongoing but, at this time, U of U Health has no indication that patient information was misused. U of U Health has begun mailing letters to patients whose information was contained in the email accounts, and advised those patients to examine the statements for health care services for any discrepancies or services that they did not receive. Those patients are encouraged to report any issues to their medical provider. U of U Health anticipates sending additional letters in the coming weeks as the investigations of the incidents conclude.
U of U Health is actively reviewing information protocols, reinforcing information security procedures with employees, and implementing changes where needed to help prevent incidents like these from happening again. Should patients have any questions regarding these incidents, they may call 1-844-994-2107, Monday through Friday 7:00 am to 4:30 pm Mountain Time.