The University of Minnesota Physicians (UMPhysicians) has issued notice of a data security event that potentially affected the confidentiality of personal information related to certain patients.
UMPhysicians recently completed a thorough investigation and comprehensive data review of a data security event in which cyber attackers used phishing emails to fraudulently access two employee email accounts. The two phishing email attacks were identified on January 31, 2020, and February 4, 2020, shortly after they occurred. UMPhysicians took immediate steps to secure the email accounts and began working with third-party computer forensic investigators to determine the nature and scope of the incidents. The investigation indicated that an unknown actor had access to one employee email account on January 30 and January 31, 2020, and another employee email account on February 4, 2020, for a brief period of time.
Because the investigation was unable to determine with certainty to what extent any emails within the two accounts may have been viewed by the cyber attackers, in an abundance of caution, UMPhysicians retained third-party specialists to perform a comprehensive review of all information stored in the email accounts at the time of the incident to identify any personal information present in the accounts. On March 30, 2020, UMPhysicians began notifying individuals with information present in the accounts while its review was ongoing. UMPhysicians recently completed the comprehensive data review, which involved many detailed steps to identify and confirm the relevant data and the potentially affected individuals. UMPhysicians is now notifying the additional individuals who were identified as potentially affected.
The recently completed data review identified that one or more of the following types of information associated with an individual were present in an affected email account during the incident: name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. For a small number of individuals, it may also include Social Security number. There is no evidence indicating that this information was actually viewed during the incident or has been copied or otherwise misused.
UMPhysicians is notifying potentially affected individuals by this posting, notification on its website, and by mailing letters to potentially affected individuals. For individuals seeking additional information regarding this incident, a dedicated toll-free assistance line has been established. Individuals may call the assistance line at (833) 960-3571, Monday through Friday (excluding US holidays), during the hours of 8 a.m. to 5:30 p.m., Central Time.
Individuals can also find additional information on how they can protect their personal information as well as obtain additional resources on UMPhysicians' website https://mphysicians.org/ and in the letters they will receive by mail. UMPhysicians is offering individuals complimentary identity and credit monitoring for one year. As a precautionary measure, UMPhysicians encourages potentially affected individuals to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and reporting any suspicious activity immediately to their insurance company, health care provider, or financial institution.
UMPhysicians takes this incident and the security of the information in its care very seriously. As part of UMPhysicians' ongoing commitment to its patients, UMPhysicians has implemented a range of privacy and security safeguards designed to enhance the protections it has in place against phishing and similar malicious attacks, including the deployment of additional security technology and security awareness training. UMPhysicians deeply regrets that this matter occurred and sincerely apologizes for any inconvenience or concern it may have caused.
Source: University of Minnesota Physicians