Augusta University Health Phishing Attacks Affected 417,000 People

Augusta University Health has announced it has experienced a data breach that has affected approximately 417,000 individuals, including students, faculty members and patients.

The majority of the people impacted by the breach were patients who received medical services at Children’s Hospital of Georgia or Augusta University Medical Center, although patients from more than 80 outpatient clinics in Georgia have also been affected by the breach and have had their protected health information (PHI) and personally identifiable information (PII) exposed.

The exposed information includes names, birth dates, laboratory test results, prescribed medications, diagnoses, treatment details, dates of service, surgical details, medical record numbers and medical insurance information. A small percentage of the affected people have had their Social Security number or driver’s license number exposed. The sensitive information was contained in emails and email attachments.

Augusta University Health discovered the data security incident on September 11, 2017. The investigation into the breach revealed 24 employees’ email accounts had been compromised as a result of a phishing campaign targeting the Augusta University Health.

To prevent account access and misuse of data, the employees’ email accounts were disabled immediately by changing the passwords. The compromised accounts were also monitored for suspicious activity. Investigators of the breach said that the attack happened either on September 10 or 11, 2017.

On July 31, 2018, which is over 10 months after the breach happened, Augusta University Health received information from external investigators that PHI/PII had been compromised. The investigators were required to manually check more than 364,000 emails and attachments to determine whether they contained PHI or PII.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Augusta University Health has now sent breach notification letters to all people affected by phishing attack, and also those impacted by a second, separate attack that occurred on July 11, 2018. Individuals who had their Social Security number of driver’s license exposed have been offered credit monitoring services for 12 months without charge.

The latest two incidents brings the total to four successful phishing attacks on Augusta University Health in the past two years. The other two incidents resulted in the exposure of 10,300 patients’ PHI.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/