417,000 Individuals Affected by Augusta University Health Phishing Attack

A serious data breach has been reported by Augusta University Health that has impacted an estimated 417,000 individuals including patients, faculty members and a limited number of students.

Most of the patients affected by the breach had previously received medical services at Augusta University Medical Center or Children’s Hospital of Georgia, although patients from over 80 outpatient clinics in Georgia have also been affected and had their personally identifiable information (PII) and protected health information (PHI) exposed.

A wide range of PII and PHI was exposed, including names, addresses, dates of birth, lab test results, diagnoses, medications, treatment information, dates of service, medical record numbers, surgical information, and health insurance details. Augusta University Health said only a small percentage of individuals had a driver’s license number or Social Security number exposed. The PII and PHI were saved in emails and email attachments.

Augusta University Health said a data security incident was discovered on September 11, 2017 following a phishing attack on some of its employees. Some employees responded to the messages and disclosed their login credentials, allowing their accounts to be accessed remotely. In total, the email accounts of 24 university administration and faculty staff members were compromised.

Upon discovery of the attack, the email accounts were disabled to prevent data access and misuse of the accounts. The investigation showed the breach had occurred on the same day or September 10. In addition to changing passwords on the accounts, affected accounts were monitored for any sign of suspicious activity.

Augusta University Health said in its substitute breach notice that it was notified on July 31, 2018 by external investigators that there had been a PHI/PII breach, more than 10 months after the breach was detected. The investigators had to manually sort through 364,000 emails and email attachments to determine whether they included any PII or PHI.

Breach notification letters are been sent to all individuals affected by the breach, and a second phishing attack that occurred on July 11, 2018. The second phishing attack is still under investigation, although it is not as severe. Free credit monitoring services are being offered to individuals whose Social Security number was exposed.

Even though the breach occurred in September 2017, no reports have been received by Augusta University Health to suggest that any PII or PHI has been misused. However, as a precaution, all individuals affected have been advised to carefully monitor their account statements and Explanation of Benefits statements for any sign of fraudulent activity.

These are not the only phishing incidents reported by Augusta University Health. In total, there have been four successful phishing attacks on Augusta University Health in the past two years. The previous two phishing attacks affected a total of approximately 10,300 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.