Data of more than 417,000 individuals exposed in multiple phishing attacks

August 24, 2018
Medicare Web

The Augusta University (AU) Health system recently released a notice informing patients of an email breach. On July 31, 2018, investigators determined an unauthorized user may have had access to the personal and protected health information (PHI) of approximately 417,000 individuals.

However, the breach was not recent. In the notice, AU Health links the attack to fraudulent emails sent September 10–11, 2017. The investigation confirmed that the emails were “phishing” emails soliciting usernames and passwords.

The individuals affected by the breach include patients of the AU Health system (including the AU Medical Center, Children’s Hospital of Georgia, more than 80 outpatient clinics operating in Georgia, and a critical care center), as well as students, employees and their dependents, some applicants to AU, and some inquiring students who had their Free Application for Federal Student Aid (FAFSA) data sent to AU.

Personal information and PHI that may have been compromised includes:

  • Dates of birth
  • Dates of service
  • Insurance information
  • Lab results
  • Medical information
  • Medical record numbers
  • Names
  • Surgical information
  • Treatment information

AU Health also states that for a smaller number of individuals, Social Security numbers and driver’s license numbers may have been exposed.

This is not the only phishing attack AU Health has revealed recently. Another email attack occurred on July 11, 2018, which is still being investigated. The second breach appears to be smaller in scope with fewer individuals affected, according to a message from the AU president.

In its notice, AU Health lists the actions it plans to take to prevent future attacks, including:

  • Employing software to screen emails for PHI or personally identifiable information
  • Enhancing compliance-related policies and procedures
  • Implementing multifactor authentication for off-campus email and system access
  • Implementing policy and procedure changes regarding PHI in email communications
  • Increasing employee training on preventing security breaches
  • Installing new leadership in a number of critical areas
  • Reviewing and adopting of solutions to limit email retention
Related Topics: 
HIPAA