Augusta University Health has announced it has experienced a data breach that has affected approximately 417,000 individuals, including students, faculty members and patients.
The majority of the people impacted by the breach were patients who received medical services at Children’s Hospital of Georgia or Augusta University Medical Center, although patients from more than 80 outpatient clinics in Georgia have also been affected by the breach and have had their protected health information (PHI) and personally identifiable information (PII) exposed.
The exposed information includes names, birth dates, laboratory test results, prescribed medications, diagnoses, treatment details, dates of service, surgical details, medical record numbers and medical insurance information. A small percentage of the affected people have had their Social Security number or driver’s license number exposed. The sensitive information was contained in emails and email attachments.
Augusta University Health discovered the data security incident on September 11, 2017. The investigation into the breach revealed 24 employees’ email accounts had been compromised as a result of a phishing campaign targeting the Augusta University Health.
To prevent account access and misuse of data, the employees’ email accounts were disabled immediately by changing the passwords. The compromised accounts were also monitored for suspicious activity. Investigators of the breach said that the attack happened either on September 10 or 11, 2017.
On July 31, 2018, which is over 10 months after the breach happened, Augusta University Health received information from external investigators that PHI/PII had been compromised. The investigators were required to manually check more than 364,000 emails and attachments to determine whether they contained PHI or PII.
Augusta University Health has now sent breach notification letters to all people affected by phishing attack, and also those impacted by a second, separate attack that occurred on July 11, 2018. Individuals who had their Social Security number of driver’s license exposed have been offered credit monitoring services for 12 months without charge.
The latest two incidents brings the total to four successful phishing attacks on Augusta University Health in the past two years. The other two incidents resulted in the exposure of 10,300 patients’ PHI.