UnityPoint Patient Records in Iowa, Illinois at Risk

A third-party employee for a health system that operates hospitals and clinics in Iowa and Illinois had unauthorized access to personal records of about 1,800 patients, the company said Wednesday.

UnityPoint Health said a recent audit revealed a pattern of unusual access to patient data in its hospital electronic medical record system. The company discovered an unauthorized individual had gained access between February and August by using the passwords of authorized employees.

The company said it shut off the access, reported the incident to law enforcement and contacted affected patients by letter.

Information, such as names, home addresses, dates of birth and medical insurance account numbers, may have been viewed. A small percentage of the affected patients may have had their Social Security numbers and driver’s license numbers viewed, too.

Affected patients, including the families of minors, will be offered a credit-monitoring service, the company said. Employees authorized to use the company’s record system will be given more education about policies on password safeguarding. UnityPoint also plans to conduct more audits.

“The privacy and security of our patients’ information is very important to us, and we have many safeguards in place to protect this information,” said company spokeswoman Laura Sinnard in a statement. “To date, we are not aware of any reports of identity fraud, theft, or similar harmful activity arising out of this incident. We apologize to our patients who were impacted.”

UnityPoint said the person who viewed the records was employed through a third party, but additional information was not released.

UnityPoint, previously called Iowa Health System, is based in West Des Moines.