[BreachExchange] 417, 000 Individuals Affected by Augusta University Health Phishing Attack

Sun Aug 19 22:51:28 EDT 2018

https://www.hipaajournal.com/417000-individuals-affected-by-augusta-university-health-phishing-attack/

A serious data breach has been reported by Augusta University Health
that has impacted an estimated 417,000 individuals including patients,
faculty members and a limited number of students.

Most of the patients affected by the breach had previously received
medical services at Augusta University Medical Center or Children’s
Hospital of Georgia, although patients from over 80 outpatient clinics
in Georgia have also been affected and had their personally
identifiable information (PII) and protected health information (PHI)
exposed.

A wide range of PII and PHI was exposed, including names, addresses,
dates of birth, lab test results, diagnoses, medications, treatment
information, dates of service, medical record numbers, surgical
information, and health insurance details. Augusta University Health
said only a small percentage of individuals had a driver’s license
number or Social Security number exposed. The PII and PHI were saved
in emails and email attachments.

Augusta University Health said a data security incident was discovered
on September 11, 2017 following a phishing attack on some of its
employees. Some employees responded to the messages and disclosed
their login credentials, allowing their accounts to be accessed
remotely. In total, the email accounts of 24 university administration
and faculty staff members were compromised.

Upon discovery of the attack, the email accounts were disabled to
prevent data access and misuse of the accounts. The investigation
showed the breach had occurred on the same day or September 10. In
addition to changing passwords on the accounts, affected accounts were
monitored for any sign of suspicious activity.

Augusta University Health said in its substitute breach notice that it
was notified on July 31, 2018 by external investigators that there had
been a PHI/PII breach, more than 10 months after the breach was
detected. The investigators had to manually sort through 364,000
emails and email attachments to determine whether they included any
PII or PHI.

Breach notification letters are been sent to all individuals affected
by the breach, and a second phishing attack that occurred on July 11,
2018. The second phishing attack is still under investigation,
although it is not as severe. Free credit monitoring services are
being offered to individuals whose Social Security number was exposed.

Even though the breach occurred in September 2017, no reports have
been received by Augusta University Health to suggest that any PII or
PHI has been misused. However, as a precaution, all individuals
affected have been advised to carefully monitor their account
statements and Explanation of Benefits statements for any sign of
fraudulent activity.

These are not the only phishing incidents reported by Augusta
University Health. In total, there have been four successful phishing
attacks on Augusta University Health in the past two years. The
previous two phishing attacks affected a total of approximately 10,300
individuals.