112K patients impacted by Utah pathology services email hack

Featured image

Share this article

112K Patients Impacted by Utah Pathology Services Email Hack - Paubox

On the website of Utah Pathology Services, a network of anatomic and clinical pathology doctors and clinics based in Salt Lake City, the headline “NOTICE OF DATA INCIDENT” dominates the front page. The company, which was founded over 80 years ago, is clearly taking a recent data security incident seriously.

According to the company, information about its 112,000 patients might have been accessed. And Utah Pathology said in its notice that the hack “did not involve any patient information, or the completion of any financial transactions,” the data in question did include “the personal information of certain individuals.”

About Utah Pathology Services

Founded in 1939, the company provides medical services across the state of Utah, working with a network of licensed medical doctors and doctors of osteopathic medicine, including pathologists who have specialty training in cytopathology, hematopathology, and gastrointestinal pathology.

Services provided include pap smears, biopsies, cytology, dermatopathology and hematopathology, and general clinical pathology and pathology consults.

What happened?

112K Patients Impacted by Utah Pathology Services Email Hack - Paubox

An unknown third party attempted to redirect funds from Utah Pathology via an email attack. Utah Pathology Services says it learned of the incident on June 30, 2020, and quickly secured the email account that was targeted and launched an investigation with the help of independent IT security and forensic investigators.

While details of the attack were not disclosed, the broad outlines of the incident fits the profile of a business email compromise, a tactic that has cost U.S. companies over $10 billion between October 2013 and July 2019, according to the FBI.

The Utah Pathology Services incident has not led to any fraudulent financial transactions being conducted yet, but the investigation found that the attackers could still have accessed information about patients.

What information was exposed?

“The personal information of certain individuals . . . was accessible to the unauthorized party,” according to the notice. In addition to names, birthdates, gender, contact and insurance information, Utah Pathology Services says that “medical and health information” was also at risk. This includes “diagnostic information related to pathology services.”

For a small percentage of patients, in fact, social security numbers were also exposed.

See also: Top 3 ways email gets hacked

What is the impact on patients?

Utah Pathology Services has notified all potentially affected patients of the data breach and is mailing letters to those whose information was contained in the targeted email account.

The company says it has no evidence that patient information has been misused, but the company has engaged a third party to provide all patients with identity monitoring services for a year “to help relieve concerns and restore confidence.”

Patients will also want to take other preventative measures to prevent identity theft and other fraud, including notifying their financial institutions and the major credit reporting agencies.

What is the impact on the company?

The impact on the reputation of Utah Pathology Services is harder to measure, but it is also significant.

This data breach earned the company an entry on the U.S. Department of Health and Human Services’ public list of incidents currently under investigation by the Office for Civil Rights, a list that is widely described as a “Wall of Shame.”

The involvement of protected health information (PHI) means this incident is a HIPAA violation, which could mean fines up to $1.5 million and possible jail time.

How can data breaches like this be prevented?

Email is the most common entry point for cybercriminals, as it was in this case. Because email is used by almost every employee in a company, there are countless internal vulnerabilities to address.

Fortunately, it is possible to implement HIPAA compliant email as part of a comprehensive data loss prevention (DLP) program. “Secure” doesn’t have to mean “complex.” Paubox Email Suite requires no plugins, no separate portals, or other extra steps.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022