The personal information of 417,000 patients at Augusta University Health was compromised after 24 employees fell victim to a phishing attack in September 2017.
Upon discovery, Augusta University disabled the affected email accounts, requested password resets, and increased system monitoring to ensure no further suspicious activity occurred.
The compromised data includes patients’ names, addresses, dates of birth, Social Security numbers, financial information, medical record information, diagnoses, insurance information, medications, and driving license numbers.
The investigation is ongoing, but has so far been unable to determine whether the information was merely accessed or also downloaded by the unauthorized third party.
Those affected will be notified and advised of best practise to protect their personal information. For those whose Social Security number was exposed, complimentary credit monitoring services will be provided.
A statement from Augusta University Health’s President, Brooks A. Keel, revealed that a second phishing attack occurred on July 11, 2018, but was smaller than the September 2017 attack.
While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time.
We are reporting the results of our investigation to all appropriate law enforcement and state and federal regulatory agencies.
Our IT staff also reacted quickly to contain the July 11, 2018, attack. The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway. We have again engaged experts in this area to support our work.
Augusta University has apologized for the incident and advised that it will be taking actions to prevent future incidents, including:
- Multifactor authentication for off-campus access
- Increasing employee training to prevent security breaches
- Solutions to limit email retention
- Reviewing procedures regarding protected health information in email communications
Phishing attacks are increasingly popular within the health care sector because of the volume and sensitivity of personal data these organizations hold. This incident reiterates the importance of providing employees with sufficient training.
Protect your organization from phishing attacks
No matter how effective your spam filter is, a spoof email could bypass it, making your organization’s staff the last line of defense against fraud. It is therefore vital that your staff are aware of the risks of phishing emails. E-learning courses are an efficient, cost-effective method of training all your staff with minimal disruption.
Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.