More on Risk Management

UConn Health, UW Medicine reveal major cyber incidents affecting more than 1 million patients

UConn Health incident stemmed from illegal access to employee email accounts; UW Medicine detected a vulnerability on a website server .

Beth Jones Sanborn, Managing Editor

Data breaches hitting two major health systems on opposite coasts may have compromised the private health and personal information of more than a million people. UConn Health has revealed that on December 24, the system learned an "unauthorized third party" illegally accessed some employee email accounts that contained individuals' names, dates of birth, addresses and limited medical information such as billing and appointment information as well as some Social Security numbers.

Meanwhile, on the upper west coast, UW Medicine said they have become aware of vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018. The files contained contained patients' names, medical record numbers, and a description and purpose of the information, but did not contain any medical records, patient financial information or Social Security numbers.


UW Medicine said the breach affecting their system affected 974,000 patients and has been reported to OCR. Letters have been sent to those patients. They also said upon learning of the incident, immediate steps were taken to remove the information from the site in question as well as any third-party sites.

So far, the system said there is no evidence of misuse or attempted use of the exposed information and a call center has been set up to deal with inquiries.

UConn Health has also mailed letters to the affected patients from their system, including information on preventing identity theft. One report had the number affected at 326,000 patients. UConn health said they moved immediately to secure the impacted accounts confirm the security of their email system. They said so far there has been no fraudulent activity impacting the affected patients stemming from the incident though they also do not know if any personal information was ever viewed or acquired by the unauthorized party.

The incident had no impact on their computer networks or electronic medical record systems, the system said.


According to the 2019 HIMSS Cybersecurity Survey published at HIMSS19 in Orlando, large-scale cybersecurity incidents are a "near-universal experience." Only 22 percent of respondents said they had not experienced a significant security incident over the past year, and the survey found that hospitals still face frequent threats.

Email is the most common pathway into a healthcare organization, according to 59 percent of respondents. Perpetuating the threat level are major gaps exist in the healthcare space, including a lack of phishing tests and legacy systems. Overall, the majority of threat actors, 58 percent, were cybercriminals and others with "malicious intent," the survey said.


"We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern this incident might cause. We have taken and will continue to take steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls," UConn Health said in a statement.

"We regret that this incident occurred and sincerely apologize for any distress this may cause our patients and their families. UW Medicine is committed to providing quality care while protecting patients' personal information. We are reviewing our internal protocols and procedures to prevent this from happening again," UW Medicine said in a statement.

Twitter: @BethJSanborn
Email the writer:

Yeezy 350 Boost