AUGUSTA, Ga. – Two phishing attacks on Augusta University’s email accounts may have led to unauthorized access of protected health information and other personal information.
The university has been working closely with external cybersecurity professionals to define the scope of the first incident. On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals. The investigation also determined that the incident occurred on September 10-11, 2017.
An investigation is also currently underway for a second phishing attack that occurred July 11, 2018, which appears to be smaller in scope.
“We take the protection of private information seriously, and we apologize to every person affected by this incident,” said President Brooks A. Keel, PhD. “We are quickly working to implement several planned information security enhancements and will continue to look for ways to safeguard patient and personal privacy.”
Protected information that may have been contained in the initial compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and insurance information. For a small percentage of individuals, their Social Security number and/or driver’s license number may have been included.
While the investigation verified that personal and protected health information was contained in compromised email accounts, no misuse of information has been reported at this time.
Once university officials discovered the initial attack, they acted promptly to stop the intrusion, disabling the impacted email accounts, requiring password changes for compromised accounts, and maintaining heightened monitoring to identify any other suspicious activity.
Augusta University is in the process of notifying identifiable individuals whose information may have been compromised and regulatory agencies. Individuals whose Social Security number may have been contained in the compromised information will be offered free credit monitoring services for one year. Augusta University encouraged notified individuals to remain vigilant in reviewing account statements for fraudulent or irregular activity on a regular basis, including a review of any explanation of benefits statements. Individuals should follow up with the applicable insurance company or care provider for any items that are not recognized. Once the investigation into the July 2018 incident is complete, Augusta University will take necessary actions to notify individuals.
In the meantime, the university has implemented a number of personnel changes and accelerated actions to strengthen its systems against future attacks. These actions include creating a new vice president position for compliance and enterprise risk management, implementing multifactor authentication for off-campus email and systems access, exploring options to limit email retention in Augusta University email accounts, revising policies regarding personal and protected health information in email communications, and implementing software to screen email for personal and protected health information or personally identifiable information.
Individuals with questions or concerns can call toll-free 1-877-327-1090 Monday-Friday between 9 a.m. and 9 p.m. Eastern Time. Additional information is available at augusta.edu/notice.