The personal health information of 417,000 people may have been exposed following a phishing attack that targeted Augusta University (AU) Health in Augusta, Georgia.
The university was the target of two seperate cybersecurity attacks. Investigators are determining the scope of the second attack, which occurred in July, after an initial attack in Sept. 2017. Combined, both attacks could have potentially exposed sensitive information of about 417,000 people.
According to a statement, the university was targeted by a series of phishing emails that solicited usernames and passwords. After discovering the attack, the university disabled impacted email accounts, required passwords changes for the compromised accounts and heightened its security for any additional attacks
Information that may have been in compromised during the attacks included patient names, addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of services and/or insurance information.
“When our IT security team became aware of the September attack, they acted immediately—disabling the impacted email accounts, requiring password changes and monitoring our systems for additional suspicious activity. Shortly thereafter we engaged external cybersecurity experts to determine the extent of the attack,” Brooks Keel, PhD, Augusta University president and CEO of AU Health, said in a statement.
“While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time.”