The personal records of approximately 417,000 individuals may have been exposed in two seperate phishing attacks that targeted Georgia-based Augusta University Health.
The university discovered the intrusion on July 31, 2018. Investigators determined that the first incident occurred between September 10 and 11, 2017, and was followed by a second attack on July 11, 2018.
During the investigation it was found that an email account accessed earlier by an unauthorised user may have given access to a number of internal email accounts. Upon discovering the incident, the IT security team of the university was quick to take corrective measures by blocking the compromised email accounts.
“When our IT Security team became aware of the September attack, they acted immediately: disabling the impacted email accounts, requiring password changes and monitoring our systems for additional suspicious activity. Shortly thereafter we engaged external cybersecurity experts to determine the extent of the attack” Augusta University President Brooks Keel said in a release note.
The impacted data includes demographic information, medical record numbers, medical data, treatment information, surgical details, diagnoses, medications, dates of services and insurance information, HealthCare IT News reported. A small portion of patients also had their Social Security and driver’s license numbers compromised.
While the investigation is still underway, the university claims that there has been no report on the misuse of the personal information and that they are following right security protocols such as informing the law enforcement agencies to address the issue.
“We are reporting the results of our investigation to all appropriate law enforcement and state and federal regulatory agencies. We have again engaged experts in this area to support our work. I will share the results of that investigation with our community as soon as I am able,” Keel added.
In an effort to boost the system's security against attacks, the university has implemented a few changes. This includes deploying multi-factor authentication, adopting solutions to limit email retention, implementing a policy that will prohibit the sharing of protected health information over email and training the employees on how to prevent security breaches.