Georgia university risks health, personal information of 417K in breach from 1 year ago

Augusta (Ga.) University is notifying 417,000 patients about a potential compromise of their protected health information after hackers stole 24 employees' email account login credentials through a series of phishing emails in September 2017.

Investigators determined July 31 that the email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and insurance information. A limited number of Social Security numbers and driver's license numbers were also included.

Officials haven't been able to determine whether patient information was actually accessed, viewed, downloaded or acquired by the unauthorized user, according to the organization's notice. The organization's external investigation is ongoing.

The university said it identified the attacks immediately and secured the accounts. It attributed the delay in notification to investigators needing to manually review more than 364,000 emails and attachments, some of which involved spreadsheets of information.

Augusta University has taken the following steps to protect against future phishing incidents:

  • Appointing new leadership to several critical areas
  • Implementing multifactor authentication for off-campus email and system access
  • Reviewing and adopting solutions to limit email retention
  • Banning PHI in email communications
  • Deploying software to screen emails and prevent them from sending if they contain PHI
  • Increasing employee training on their roles in preventing security breaches
  • Enhancing its compliance-related policies and procedures

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars