112K Patients Impacted by Utah Pathology Services Email Hack
by Ryan Ozawa
On the website of Utah Pathology Services, a network of anatomic and clinical pathology doctors and clinics based in Salt Lake City, the headline “NOTICE OF DATA INCIDENT” dominates the front page. The company, which was founded over 80 years ago, is clearly taking a recent data security incident seriously.
According to the company, information about its 112,000 patients might have been accessed. And Utah Pathology said in its notice that the hack “did not involve any patient information, or the completion of any financial transactions,” the data in question did include “the personal information of certain individuals.”
About Utah Pathology Services
Founded in 1939, the company provides medical services across the state of Utah, working with a network of licensed medical doctors and doctors of osteopathic medicine, including pathologists who have specialty training in cytopathology, hematopathology, and gastrointestinal pathology.
Services provided include pap smears, biopsies, cytology, dermatopathology and hematopathology, and general clinical pathology and pathology consults.
An unknown third party attempted to redirect funds from Utah Pathology via an email attack. Utah Pathology Services says it learned of the incident on June 30, 2020, and quickly secured the email account that was targeted and launched an investigation with the help of independent IT security and forensic investigators.
While details of the attack were not disclosed, the broad outlines of the incident fits the profile of a business email compromise, a tactic that has cost U.S. companies over $10 billion between October 2013 and July 2019, according to the FBI.
The Utah Pathology Services incident has not led to any fraudulent financial transactions being conducted yet, but the investigation found that the attackers could still have accessed information about patients.
What information was exposed?
“The personal information of certain individuals . . . was accessible to the unauthorized party,” according to the notice. In addition to names, birthdates, gender, contact and insurance information, Utah Pathology Services says that “medical and health information” was also at risk. This includes “diagnostic information related to pathology services.”
For a small percentage of patients, in fact, social security numbers were also exposed.
What is the impact on patients?
Utah Pathology Services has notified all potentially affected patients of the data breach and is mailing letters to those whose information was contained in the targeted email account.
The company says it has no evidence that patient information has been misused, but the company has engaged a third party to provide all patients with identity monitoring services for a year “to help relieve concerns and restore confidence.”
What is the impact on the company?
The impact on the reputation of Utah Pathology Services is harder to measure, but it is also significant.
This data breach earned the company an entry on the U.S. Department of Health and Human Services’ public list of incidents currently under investigation by the Office for Civil Rights, a list that is widely described as a “Wall of Shame.”
How can data breaches like this be prevented?
Email is the most common entry point for cybercriminals, as it was in this case. Because email is used by almost every employee in a company, there are countless internal vulnerabilities to address.
Fortunately, it is possible to implement HIPAA compliant email as part of a comprehensive data loss prevention (DLP) program. “Secure” doesn’t have to mean “complex.” Paubox Email Suite requires no plugins, no separate portals, or other extra steps.