NBC Connecticut Investigates has new details about a cyber-attack that UConn Health said could impact more than 326,000 people.
The health system began notifying patients and released a public statement about the incident on February 21, 2019.
It said in part, “UConn Health recently learned that an unauthorized third party illegally accessed a limited number of employee email accounts… On December 24, 2018, we determined that the accounts contained some personal information, including some individuals’ names, dates of birth, addresses and limited medical information, such as billing and appointment information. The accounts also contained the Social Security numbers of some individuals.”
In response to an NBC Connecticut inquiry, a spokesperson for UConn Health confirmed the breach happened in August 2018.
The spokesperson said UConn Health immediately hired a forensic security firm to investigate. According to the spokesperson, the process involved manually reviewing more than 285,000 emails and attachments, determining which information was compromised for each person affected, reviewing patient records and contacting each person individually.
West Hartford resident Bill Scaringe and his wife both received letters from UConn Health notifying them of the breach. The letters state the Scaringes’ Social Security Numbers were not compromised.
Scaringe said he’s troubled that he learned about the breach six months after it happened.
Investigations
“They have a duty to protect this information and in my opinion they did not do that,” Scaringe said.
UConn Health advised patients to monitor their credit reports for suspicious activity. It is also offering free credit monitoring and ID theft protection to those whose Social Security numbers were exposed.
George W. Kudelchuk III, enterprise solutions executive at Kelser Corporation in Glastonbury, said UConn Health put the appropriate measures in place after learning of the breach.
Kudelchuk is not involved in the UConn Health investigation, but said the sheer amount of personal information kept by healthcare providers makes them prime targets.
"At the end of the day, no business is impenetrable," he said.
Kudelchuk advises businesses to implement multiple layers of security. And he says it starts with staff training.
"The biggest threat to a business unfortunately are the employees. Inadvertently clicking on something on their lunch break or just not being aware or educated on what the threats are," he said.
That was apparently the case at UConn Health, which confirms the hackers used a phishing attack to exploit the email system.
Kudelchuk said leaving passwords out in the open is another common mistake he sees. He said individuals and businesses alike can protect themselves by sticking to some basic security rules.
"Making sure you're starting off with secure passwords, you're going to secure websites. You're not sharing any of your information, you're not recycling passwords," he said.
UConn Health declined an on camera interview for this story. A spokesperson told us, “We take seriously the privacy and security of our patients’ personal information and are taking steps to ensure something like this doesn’t happen again.”