Written by Mark Satter

Nearly 1.4 million people across the U.S. Midwest may have had their personal information exposed in a data breach at one of the region’s largest health care networks.

UnityPoint Health, a network of hospitals, clinics, and home care services in Iowa, Illinois, and Wisconsin, said this week that multiple internal email accounts were compromised between March 14 and April 3, following a series of phishing attacks.

The phishing emails were disguised to appear to have originated from a “trusted executive” within UnityPoint Health.

The stolen data included patient names, addresses, dates of birth, extensive medical records including surgical information and lab results, insurance information and, in some cases, Social Security, bank account, and driver’s license numbers.

According to UnityPoint Health’s press release, the attack was likely financially motivated, rather than focused on obtaining patient information, as the hackers tried to use the company’s email system to divert payroll or vendor payments.

Stolen personal information, like the data taken from UnityPoint Health, often ends up for sale online.

Following the breach, UnityPoint Health has reset the passwords for all of the compromised accounts, conducted mandatory cyber-hygiene education for employees, added technology to identify suspicious emails and implemented multi-factor authentication to login to the company’s systems.

Those affected by the breach will be notified by UnityPoint Health. Patients whose social security or driver’s license numbers were exposed will receive free credit monitoring services for one year.