Cyberattacks at Highpoint Foot and Ankle Center and the University of Utah Affects 35,000+ Patients’ PHI

Highpoint Foot and Ankle Center based in New Britain Township, PA encountered a ransomware attack in May 2020 during which the attackers encrypted and probably accessed or exfiltrated patient information. Highpoint Foot and Ankle learned the attack on May 20, 2020 when personnel was kept from getting particular files on the system.

The investigation started and found out that an unauthorized person had downloaded ransomware remotely on its computer networks. There is no evidence obtained that suggest the attacker accessed patient data before encrypting the files. There was also no report received that suggest the misuse of patient data.

A third-party computer forensics agency was engaged to aid with the investigation and confirmed that the possible compromise of files containing the PHI of 25,554 patients. The files comprised names, dates of birth, addresses, social security numbers, treatment information, diagnoses, and release conditions.

Further precautions have now been put in place to secure patient data and all patients impacted by the data breach already received notifications via mail.

Phishing Attack on the University of Utah Affects Up to 10,000 Patients

The University of Utah has suffered a phishing attack that has most likely impacted the protected health information (PHI) of about 10,000 patients. This is the University of Utah’s fourth data breach report to be submitted to the Department of Health and Human Services in 2020. All four incidents are stated as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (impacting 1,909 persons), April 3, 2020 (impacting 5,000 persons), and March 21, 2020 (impacting 3,670 persons).

Unauthorized persons got access to personnel email accounts between January 22, 2020 and May 22, 2020, as indicated by the substitute breach notice posted on the University of Utah Health webpage. It is uncertain at this time if the most current breach report also involved getting access to personnel email accounts in an identical time period.

Kathy Wilets, Public Relations Director at the University of Utah Health gave a report to databreaches.net mentioning that the phishing occurrences were being regarded as independent incidents but might have been a part of a synchronized campaign. She explained the most current incident probably involved getting access to some amount of patient information and the number of persons affected of 10,000 is an estimation. The investigation could confirm whether fewer persons were affected. Action has been done to strengthen email security, such as the setup of 2-factor authentication.