One-sentence summary:
Uintah Basin Healthcare of Utah was breached for over a decade involving the PHI of over 103k+ patients.
Who was involved?
Uintah Basin Healthcare, potentially 103,974 patients, and a threat actor.
What was the timeline?
March 2012: Breach starts
November 7, 2022: UBH detects the initial IOCs of the breach and begins their incident response
April 7, 2023: Uintah Basin Healthcare determines patient data is involved in the breach
April 10, 2023: UBH completes review of patient data breached
May 10, 2023: Uintah Basin Healthcare begins consumer notification
What occurred?
Uintah Basin Healthcare was breached for over a decade before discovering the intrusion and notifying patients approximately 6 months after (Uintah Basin Healthcare, 2023a). Over 103,974 patients are potentially implicated along with the following sensitive data: “name, date of birth, address, Social Security number, health insurance information, and certain, clinical details including diagnosis/conditions, medications, test results, and procedure information” (Uintah Basin Healthcare, 2023b).
Estimated costs:
Incident response costs, “leading cybersecurity firm,” breach notification costs, M-F call center, 12 months IDX identity services
Involved laws:
Federal: HIPAA and HITECH
Maine: 10 M.R.S.A. § 1346
Utah: Utah Code §§ 13-44-101, 13-44-202, 13-44-301
Vermont: 9 V.S.A. § 2435
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
Uintah Basin Healthcare. (2023a). Re: Notice of Data Security Incident. In Data Breach Notifications. Office of the Maine Attorney General. Retrieved May 15, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/50d6b14a-ea71-4c64-95cf-71db833225f5/632fa197-716b-4fb2-a2cd-548b7014c904/document.html
Uintah Basin Healthcare. (2023b). Uintah Basin Healthcare – Notice of Data Incident. In ubh.org. Retrieved May 15, 2023, from https://ubh.org/wp-content/uploads/sites/534/2023/05/UBH-Substitute-Notice9479099.2.pdf
Uintah Basin Healthcare (research.net). (n.d.). c56c36a2-8ce8-4f26-ba65-fafada655db6.jpg. research.net. https://surveymonkey-assets.s3.amazonaws.com/survey/82311717/c56c36a2-8ce8-4f26-ba65-fafada655db6.jpg