HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

5 Months to Notify Patients of Augusta University Medical Center Phishing Attack

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees.

It is unclear exactly when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017.

Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers.

Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient.

It is currently unclear how many patients have been impacted, although a spokesperson for AU Medical Center said the breach impacted fewer than 1% of its patients. Credit monitoring and identity theft protection services are being offered to all patients whose Social Security number was compromised.

This is not the first time that employees at Augusta University have fallen for phishing scams. A similar breach occurred between September 7-9, 2016, resulting in similar data being exposed. In that case, “a small number” of employees responded to phishing emails and divulged their email logins.

While that breach was identified promptly – News Channel 6 reported that all AU employees were required to reset their passwords due to a significant risk following the phishing attack – the Augusta Chronicle reported in May that the investigation into the breach was only completed on March 29, 2017 – more than six months after the attack took place. Individuals impacted by the breach were notified within 60 days of the breach investigation being completed. The breach was reported to the HHS’ Office for Civil Rights on May 26,2017.

The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows HIPAA-covered entities up to 60 days following the discovery of a breach to issue breach notification letters to patients and to alert OCR of the breach.

It should be noted that while HIPAA allows up to 60-days to report data breaches, covered entities must report incidents ‘without unreasonable delay’.  Failure to report incidents promptly can easily result in a HIPAA penalty, as Presense Health discovered earlier this year. In that case, breach notifications were issued three months after the breach was discovered, resulting in a settlement of $475,000.

This latest breach was announced five months after the email accounts were compromised, with the investigation concluding three months after the initial breach. The earlier phishing attack appeared to take 6 months to investigate and report, with notifications sent to patients eight months after the breach.

Why the investigations took so long to conduct and why reporting the incidents was delayed is something of a mystery. According to OCR’s breach reporting portal, the September phishing attack is still under investigation. The latest incident has yet to appear on the OCR breach portal.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.