Augusta University Health has announced that a successful phishing attack has resulted in a hacker gaining access to over 417,000 sensitive files.
The University of Augusta announced a substituted substitute breach notice posted on its website. The announcement states that the breach was discovered on 31 July. IT security staff changed the password to the affected email accounts, thereby blocking the hacker’s access to the data stored on the accounts.
The University of Augusta launched an investigation into the breach soon after its discovery. Investigators determined that the breach was the result of a phishing campaign that ran between September 10-11, 2017. An employee responded to one of the emails, allowing the hacker to harvest their login credentials and accessing their email account.
The University of Augusta did not mention for how long the hacker had access to the email accounts in the breach notice. The notice states that investigators are still working to determine the cause and scope of the breach.
Analysts determined that the hacker could potentially access private health information (PHI) and personally identifiable information (PII) during the breach. This information could include names, demographic information, diagnoses, medications, dates of service, health insurance information, surgical details, medical record numbers, treatment information and other medical data. A small number of individuals also had their Social Security number or driver’s license number exposed.
Following HIPAA’s Breach Notification Rule, University of Augusta will send breach notification letters to all affected individuals in the coming days. As victims of data breaches are at heightened risk of becoming victims of identity fraud, University of Augusta will offer complimentary credit monitoring service to those affected. The University advises that all patients should monitor their accounts for any suspicious activity in the coming weeks.
The number of phishing campaigns targeting hospitals is on the rise. Phishing attacks were the leading cause of healthcare data breaches in the United States in the second quarter of 2018. Phishing campaigns are particularly successful as only one employee need respond to a phishing email for the hacker to gain access to hundreds or thousands of data files.
The breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights shows that 417,000 individuals may have had their PHI or PII stolen as a result of the breach.