GA university breach risks health, personal information of 417,000
A breach of email accounts at Augusta University Health may have exposed sensitive health and personal information of about 417,000 people, including patients around Georgia, the university reported Aug. 16.
Those at risk are primarily patients of Augusta University Health, including Augusta University Medical Center (which is the teaching hospital for the Medical College of Georgia), Children’s Hospital of Georgia and more than 80 outpatient clinics around the state, according to the university.
It is unclear how many of those potential victims are from metro Atlanta
Faculty members and “a small number” of students at Augusta University were also among those who may be affected, according to the university.
Exposed information may have included patient names, addresses, diagnoses, medications, lab results, dates of birth, treatment information, medical record numbers, medical information, surgical information, dates of service, and insurance information.
Social Security numbers and driver’s license numbers may also have been included “for a small percentage of individuals,” the university stated in a press release. It added that “no misuse of information has been reported at this time.”
On Sept. 11 of last year the university discovered an “intrusion” that occurred that day and the day before, according to university spokeswoman Christen Engel.
Engel said, though, that the university didn’t confirm that data had been breached or learn about its apparent scope until external investigators notified officials July 31, 2018.
The breach involved a phishing attack by an unauthorized user involving the email accounts of 24 university faculty and administrative personnel, Engel said. Investigators sifted through 364,000 emails and attachments, some of which may have been years old.
The university also reported that it is investigating another, apparently smaller, phishing attack that occurred July 11, 2018.
As for the first attack, “Augusta University is in the process of notifying identifiable individuals whose information may have been compromised and regulatory agencies.
“Individuals whose Social Security number may have been contained in the compromised information will be offered free credit monitoring services for one year,” the university stated. “Augusta University encouraged notified individuals to remain vigilant in reviewing account statements for fraudulent or irregular activity on a regular basis, including a review of any explanation of benefits statements.”
Engel said letters to people affected will be sent in about a week.
Augusta University medical emails have been put at risk in other past phishing attacks, including one in 2016 and another in April of 2017.
Data may have been exposed on about 4,700 people in the 2016 incident and another 5,600 patients in the April, 2017 event, Engel said.
The university said it disabled the email accounts and required password changes, among other steps. In the April incident the emails contained sensitive information on patients, including in some cases financial information, prescription information, diagnosis and treatment information. External investigators “could not definitively conclude” if that information was accessed or viewed, according to a university statement last year.
