417,000 Augusta University Health patient records breached nearly one year ago

The Georgia provider was hit by two cyberattacks in September 2017, but did not explain when the breach was discovered.
By Jessica Davis
03:48 PM
Share
Exterior view of Augusta University Hospital in Augusta, Georgia

Augusta University Medical Center in Augusta, Georgia. Credit: augustahealth.org

Targeted phishing attacks on Georgia-based Augusta University Health may have breached the personal records of 417,000 patients after two cyberattacks that happened nearly a year ago.

According to the notice, hackers targeted the university health system with phishing emails Sept. 10-11, 2017. Other cyberattacks hit the health system in July 2018, September 2016 and April 2017.

The hackers solicited usernames and passwords, giving them access to a number of internal email accounts. Upon discovery, officials disabled the impacted email accounts.

[Also: The biggest healthcare data breaches of 2018 (so far)]

But the notice did not explain when the discovery was made, nor why the notice comes almost a year after the cyberattacks. Augusta University Health did not respond to a request for comment.

The breached data included demographic information, medical record numbers, medical data, treatment information, surgical details, diagnoses, medications, dates of services and/or insurance information. Hackers commonly use this type of data for medical fraud.

For a small percentage of patients, Social Security and driver’s license numbers were included.

 

Officials said the investigation is still ongoing but “nearly complete.” The investigators told officials in July 2018 that the emails contained protected health information and other personal data. They could not exclude unauthorized access.

 

Notifications will be sent to impacted patients in the coming weeks and will include one year of free credit monitoring.

In response to the attack, officials hired new leadership to fill roles in a number of critical departments. AU Health has implemented multifactor authentication for off-campus email while reviewing tools to limit email retention. Officials also are banning protected health data in emails.

The health system also implemented software to screen emails for protected health or other personal data to prevent a similar incident in the future. Officials said they’ve also increased security training and enhanced compliance-related policies.

Given the length of time between the actual incident and notification, AU Health’s breach should serve as a serious reminder for organizations to review their network monitoring policies. Many phishing attacks fly under the radar due to lax monitoring and issues with access management.

AU Health is just the latest to fall victim to targeted phishing attacks. In fact, Sunspire Health, a nationwide network of addiction treatment facilities, may have exposed patient data for months after a phishing attack. And a similar attack on UnityPoint Health breached 1.4 million patient records in April.

Healthcare Security Forum

The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com