Augusta University Health has experienced a phishing attack that has resulted in the unauthorized accessing of several employees’ email accounts.
The substitute breach notice uploaded to the University of Augusta website indicates investigators determined on July 31, 2018 that email accounts containing the protected health information (PHI) of patients and personally identifiable information (PII) of employees had been compromised.
The breach notice states that its employees were targeted with a series of phishing emails between September 10-11, 2017. Responses to those emails resulted in login credentials being divulged. Upon discovery of the breach, access to the compromised email accounts was blocked by changing the passwords. Following the password change, the email accounts were monitored closely to ensure unauthorized access did not continue.
However, no mention was made about when the breach was discovered to have occurred. The investigation into the breach is ongoing, suggesting the incident was only recently discovered. If that was the case, the attackers potentially had access to the email accounts for up to 10 months before a security breach was detected.
The types of data exposed included names, demographic information, diagnoses, medications, dates of service, health insurance information, surgical details, medical record numbers, treatment information and other medical data. A small number of individuals also had their Social Security number and/or driver’s license number exposed.
All affected individuals will be notified of the breach in the next few days. Affected individuals have been offered complimentary credit monitoring services.
The past few months have seen an increase in phishing attacks on healthcare organizations. In the second quarter of 2018, phishing attacks were the leading cause of healthcare data breaches in the United States.
What makes this phishing attack stand out is the sheer quantity of data contained in the compromised email accounts. The breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights shows 417,000 individuals may have had their PHI or PII stolen as a result of the breach.