August 19, 2018
A grave data break has been informed by Augusta University Health that has impacted roughly 417,000 people including faculty members, patients, and a limited number of students.
Most of the patients affected by the break had earlier received medical facilities at Augusta University Medical Center or Children’s Hospital of Georgia, even though patients from more than 80 outpatient health centers in Georgia have also been affected and had their personally identifiable information (PII) and protected health information (PHI) disclosed.
A wide variety of PII and PHI was disclosed, including names, surgical information, medical record numbers, dates of service, treatment information, medications, diagnoses, lab test results, dates of birth, addresses, and health insurance details. Augusta University Health said just a small fraction of people had a driver’s license number or Social Security number disclosed. The PII and PHI were saved in electronic mails and electronic mail attachments.
Augusta University Health said a data safety occurrence was found on September 11, 2017 after a phishing attack on some of its workers. Some workers reacted to the messages and revealed their login identifications, letting their accounts to be retrieved tenuously. In total, the electronic mail accounts of 24 university administration and faculty staff members were undermined.
Upon discovery of the attack, the electronic mail accounts were deactivated to avoid data access and abuse of the accounts. The inquiry demonstrated the break had happened on the same day or September 10. In addition to altering passwords on the accounts, affected accounts were checked for any indication of doubtful activity.
Augusta University Health said in its substitute break notification that it was informed on July 31, 2018 by external investigators that there had been a PHI/PII break, over 10 months after the break was found. The investigators had to manually sort through 364,000 electronic mails and electronic mail attachments to decide whether they contained any PII or PHI.
Break notification letters are being sent to all people affected by the break, and a second phishing attack that happened on July 11, 2018. The second phishing attack is still under inquiry, though it is not as severe. Free credit checking facilities are being offered to people whose Social Security numbers were disclosed.
Although the break happened in September 2017, no reports have been received by Augusta University Health to indicate that any PII or PHI has been abused. Nevertheless, as a precaution, all people affected have been informed to cautiously check their account statements and Explanation of Benefits statements for any indication of fake activity.
These are not the only phishing occurrences reported by Augusta University Health. Altogether, there have been four successful phishing attacks on Augusta University Health in the previous two years. The previous two phishing attacks affected a total of roughly 10,300 people.