A breach of email accounts at Augusta University Health may have exposed sensitive health and personal information of about 417,000 people, including patients around Georgia, the university reported Thursday.
Those at risk are primarily patients of Augusta University Health, including Augusta University Medical Center (which is the teaching hospital for the Medical College of Georgia), Children’s Hospital of Georgia and more than 80 outpatient clinics around the state, according to the university.
It is unclear how many of those potential victims are from metro Atlanta
Faculty members and “a small number” of students at Augusta University were also among those who may be affected, according to the university.
Exposed information may have included patient names, addresses, diagnoses, medications, lab results, dates of birth, treatment information, medical record numbers, medical information, surgical information, dates of service and insurance information.
Social Security numbers and driver’s license numbers may also have been included “for a small percentage of individuals,” the university stated in a press release. It added that “no misuse of information has been reported at this time.”
“We take the protection of private information seriously, and we apologize to every person affected by this incident,” Augusta University President Brooks Keel said in the release. “We are quickly working to implement several planned information security enhancements and will continue to look for ways to safeguard patient and personal privacy.”
On September 11 of last year the university discovered an “intrusion” that occurred that day and the day before, according to university spokeswoman Christen Engel.
“We worked to stop the intrusion the very same day: disabling the impacted email accounts, requiring password changes for the compromised accounts and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place,” she wrote in an email.
Engel said, though, that the university didn’t confirm that data had been breached or learn about its apparent scope until external investigators notified officials July 31, 2018.
The breach involved a phishing attack by an unauthorized user involving the email accounts of 24 university faculty and administrative personnel, Engel said. Investigators sifted through 364,000 emails and attachments, some of which may have been years old.
The university also reported Thursday that it is investigating another, apparently smaller, phishing attack that occurred July 11, 2018.
As for the first attack, “Augusta University is in the process of notifying identifiable individuals whose information may have been compromised and regulatory agencies.
“Individuals whose Social Security number may have been contained in the compromised information will be offered free credit monitoring services for one year,” the university stated. “Augusta University encouraged notified individuals to remain vigilant in reviewing account statements for fraudulent or irregular activity on a regular basis, including a review of any explanation of benefits statements.”
Engel said letters to people affected will be sent in about a week.
The university is directing individuals with questions to call 1-877-327-1090 toll free, available weekdays between 9 a.m. and 9 p.m., or visit augusta.edu/notice.
Augusta University medical emails have been put at risk in other past phishing attacks, including one in 2016 and another in April of 2017.
Data may have been exposed on about 4,700 people in the 2016 incident and another 5,600 patients in the April, 2017 event, Engel said.
The university said it disabled the email accounts and required password changes, among other steps. In the April incident the emails contained sensitive information on patients, including in some cases financial information, prescription information, diagnosis and treatment information. External investigators “could not definitively conclude” if that information was accessed or viewed, according to a university statement last year.
At the time, the university and medical center said they were “committed to maintaining the privacy of patient information and to continually evaluating and modifying practices to enhance appropriate security and privacy measures, including ongoing cybersecurity awareness of their workforce.”
Emory Roane of the Privacy Rights Clearinghouse said four possibly successful phishing attacks at one university in the course of two or three years “is concerning.”
But he said he doesn’t know whether the university has dropped the ball in its cyber efforts.
“Health and education are both huge targets for phishing attacks and target rich environments for data breaches,” he said.
Cybersecurity attacks have hammered many businesses and government organizations around the nation. One of the biggest attacks involved Atlanta-based data giant Equifax, where a breach last year may have compromised personal information on more than 147 million Americans.
Such incidents helped highlight the potential importance of the state’s recently opened $100-million Georgia Cyber Center in Augusta. The facility was designed to be used primarily in the training of cybersecurity experts for government and private industry.
One of the main partners involved in providing training at the new center? Augusta University.
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.