10,000 Patients Affected in University of Utah Health Data Breach


More than a month after the University of Utah Health (U of U Health) announced there was unauthorized access to some of its employees’ email accounts, details about the recent breach was finally reported to the U.S. Department of Health and Human Services on Monday, July 20.

According to the state department, approximately 10,000 patients were affected by the breach and had their personal data and medical records exposed.


On June 5, 2020, the U of U Health revealed it discovered some data security incidents that impacted some of its employees’ email accounts. According to the health center, the unauthorized access occurred as a result of phishing schemes sent to its employees’ email accounts and happened between April 7 to May 22, 2020.

University of Utah Health Data Breach

In the initial release, U of U Health claimed it immediately “secured the email accounts and began to investigate” after learning about the incidents.


“The investigations determined that some patient information was contained in the email accounts, which may have included patient names, dates of birth, medical record numbers, and limited clinical information related to the care patients received at U of U Health facilities,” the center wrote. “U of U Health notified patients earlier this year of similar attacks and since that time has been working to implement enterprise-wide security enhancements, including expanded use of multi-factor authentication, while also responding to the resource demands presented by the COVID-19 pandemic,” it added.

At the time, no specific number of impacted patients were provided by the institution.

“The 10,000 was an estimate at that time. We still haven’t finished the full investigation and the number could be smaller,” Kathy Wilets, a spokesperson for U of U Health, told 2News.

In the same earlier release, the health center said investigations are ongoing but, at the time, there is “no indication that patient information was misused.”

Another Info Security Incident

In a separate news release published Wednesday, the University of Utah Communications announced computing servers in a college at the University experienced a security incident on Sunday. It is not clear whether the incident mentioned is related to the patient data breach that occurred from April to May this year.

The university, however, ensured it has already “notified appropriate law enforcement entities and the U’s Information Security Office (ISO) is actively investigating the matter.”

As a precaution, the institution instructed its staff, faculty, and students to change their uNID passwords by Wednesday, August 5.