- Close to half a million people may have had their PHI and other personal information exposed in a September 2017 phishing attack that impacted the Augusta University (AU) Health system.
Another phishing attack on July 11, 2018, may have compromised more individuals’ personal data. And two more phishing attacks, one in September 2016 and another in April 2017, exposed even more personal data.
Information that might have been compromised in the September 2017 includes patient addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information. For some victims, Social Security number and/or driver’s license number may have been involved, AU said in a notice.
Those at risk are patients who visited the AU Medical Center, Children’s Hospital of Georgia, and 80 outpatient clinics in Georgia. Around 417,000 individuals were impacted.
The university explained that it was the target of phishing attacks on September 10-11, 2017, but it did not discover the attacks until July 31, 2018.
A second phishing attack occurred July 11, 2018, which exposed more people’s personal information, according to AU President Brooks Keel. The investigation into that attack is ongoing, and the university did not disclose the number of affected individuals.
When it discovered the September 2017 attack, AU disabled compromised email accounts, required password changes for those accounts, and increased monitoring of email accounts for suspicious activity.
In response, the university has taken several actions to protect against future incidents:
- Installing new leadership, including a new position of vice president for audit, compliance, ethics and risk management
- Implementing multifactor authentication for off-campus email and system access
- Review and adoption of solutions to limit email retention
- Banning PHI in email communications
- Employing software to screen emails for PHI or PII
- Increasing employee training to prevent security breaches
- Enhancing compliance-related policies and procedures
AU said it is offering free credit monitoring services for one year to those individuals who had their Social Security exposed in the attack.
“At Augusta University, our top priorities are our students, employees and our patients, and that includes our obligation to safeguard their personal and health information,” Keel said in his statement.
AU Health has been plagued by phishing attacks. It admitted May 2017 to a successful attack that occurred the previous September and compromised PHI on less than 1 percent of its patients.
Patient information exposed included full names, home addresses, dates of birth, Social Security numbers, financial account information, medical record numbers, and insurance information.
On September 15, AU Health admitted to another phishing attack, which occurred on April 20-21, 2017.
The university launched an investigation into the incident and confirmed a third-party had gained unauthorized access to two employees' email accounts.
The university said that the April 2017 phishing attacked affected PHI on a few thousand patients. Information that may have exposed included patient names, home addresses, dates of birth, Social Security numbers, driver’s license numbers, financial information, prescription information, diagnosis, and treatment information.
In the September 15 announcement, the university said that it was undertaking extensive training for staff on how to avoid phishing email. Apparently, the training was not sufficient to prevent subsequent phishing attacks.
The bottom line is that healthcare providers and other organizations that do not address cybersecurity issues as soon as they appear continue to suffer from breaches that can be embarrassing and jeopardize the data privacy of their patients.