We are committed to protecting the confidentiality of our patients’ information. Regrettably, this notice is regarding recent incidents involving some patients’ information. This notice explains the incidents, measures we have taken, and some steps you can take in response.

June 5th 2020

From April 7 to May 22, 2020, U of U Health learned there was unauthorized access to some of its employees’ email accounts. Access to affected accounts occurred between April 6, and May 22, 2020, with U of U Health taking prompt action to secure each affected account shortly after identifying the unauthorized access. The unauthorized access occurred as a result of phishing schemes sent to the employees’ email accounts and which those employees responded to believing them to be legitimate requests. Phishing is when an outside party replicates an email from a trusted source and sends it out in the hopes of tricking a person to respond and potentially gaining unauthorized access to the email account. When U of U Health learned of these incidents, it quickly secured the affected email accounts and began to investigate. The investigations determined that some patient information was contained in the email accounts, which may have included patient names, dates of birth, medical record numbers, and limited clinical information related to the care patients received at U of U Health facilities.

Notification Letters

Our investigations into these incidents is ongoing. However, we have no indication any information has been misused. In an abundance of caution, we began mailing notification letters to patients on June 5, 2020, and have established a dedicated call center to answer questions our patients may have. We recommend patients review the statements they receive from their health care providers. If there are discrepancies or services that you did not receive, please contact the provider immediately.

We deeply regret any concern or inconvenience this may cause our patients. We are actively reviewing information protocols, reinforcing information security procedures with our employees and implementing changes where needed to help prevent an incident like this from happening again.

Questions or Concerns

If you have questions about this incident or believe you may have been impacted and do not receive a letter by April 30, please call 1-800-737-4251, Monday through Friday, 7:00 am to 4:30 pm Mountain Time.

March 20th 2020

From January 22 to May 22, 2020, we became aware of unauthorized access to some employees’ email accounts. This unauthorized access occurred between January 7 and February 21, 2020. The unauthorized access occurred as a result of phishing schemes sent to the employees’ email accounts. Phishing is when someone replicates an email from a trusted source and sends it out in hopes of tricking a person and gaining unauthorized access to the email account. We quickly secured the email account, began an investigation, and engaged a cybersecurity firm to assist. Our investigation determined that some patient information was included in the email account, including names, dates of birth, medical record numbers, and limited clinical information about care received at University of Utah Health.

Additionally, on February 3, 2020, we became aware that a common type of malware may have been placed on an employee's workstation. We quickly secured that workstation, began an investigation into this incident, and engaged a cybersecurity firm to assist. The investigation determined that the malware may have allowed access to some patient information from the employee's email account, including patient names, dates of birth, medical record numbers, and limited clinical information related to the care U of U Health provided to patients.

Notification Letters

Our investigations into these incidents is ongoing. However, we have no indication any information has been misused. In an abundance of caution, we began mailing notification letters to patients on March 20, 2020 and have established a dedicated call center to answer questions our patients may have. We recommend patients review the statements they receive from their healthcare providers. If there are discrepancies or services that you did not receive, please contact the provider immediately.

We deeply regret any concern or inconvenience this may cause our patients. We are actively reviewing information protocols, reinforcing information security procedures with our employees and implementing changes where needed to help prevent an incident like this from happening again.

Questions or Concerns

If you have questions about this incident or believe you may have been impacted and do not receive a letter by April 30, please call 1-800-737-4251, Monday through Friday, 7:00 am to 4:30 pm Mountain Time.