The Atlanta Journal-Constitution
Breach in Augusta targeted health data
It’s unclear how many potential victims are from metro Atlanta.
A breach of email accounts at Augusta University Health may have exposed sensitive health and personal information of about 417,000 people, including patients around the state, the university announced Thursday.
Those at risk are primarily patients of Augusta University Health, including Augusta University Medical Center (the teaching hospital for the Medical College of Georgia), Children’s Hospital of Georgia and more than 80 outpatient clinics around the state, according to the university.
It is unclear how many of those potential victims are from metro Atlanta.
Exposed information may have included patient names, addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and insurance information.
And “for a small percentage of individuals, their Social Security number and/or driver’s license number may have been included,” the university stated in a news release. The university added that “no misuse of information has been reported at this time.”
”We take the protection of pri-
vate information seriously, and we apologize to every person affected by this incident,” Augusta University President Brooks Keel said in the release. “We are quickly working to implement several planned information security enhancements and will continue to look for ways to safeguard patient and personal privacy.”
On Sept. 11 of last year the university discovered an “intrusion” that occurred that day and the day before. But the university “didn’t find out it was a breach” or learn about its apparent scope until external investigators notified officials July 31, 2018, according to university spokeswoman Christen Engel.
The breach involved a phishing attack by an unauthorized user involving the email accounts of 24 university faculty and administrative personnel, Engel said.
The university reported Thursday that it is investigating another, apparently smaller, phishing attack that occurred July 11, 2018.
As for the first attack, “Augusta University is in the process of notifying identifiable individuals whose information may have been compromised and regulatory agencies.
“Individuals whose Social Security number may have been contained in the compromised information will be offered free credit monitoring services for one year,” the university stated. “Augusta University encouraged those notified individuals to remain vigilant in reviewing account statements for fraudulent or irregular activity on a regular basis, including a review of any explanation of benefits statements.”
Engel said letters to people affected will be sent in about a week.
The university is directing individuals with questions to call 1-877-327-1090 toll free, available weekdays between 9 a.m. and 9 p.m., or visit augusta.edu/notice.
Augusta University medical emails have been put at risk in other past phishing attacks, including one in 2016 and another in April 2017.
Engel didn’t have information available by deadline about how many people may have had data exposed in the 2016 incident. The April 2017 incident involved 5,634 patients, she said.
The university said it disabled the email accounts and required password changes, among other steps. In that incident the emails contained sensitive information on patients, including in some cases financial information, prescription information, diagnosis and treatment information. External investigators “could not definitively conclude” if that information was accessed or viewed, according to a university statement last year.
At the time, the university and medical center said they were “committed to maintaining the privacy of patient information and to continually evaluating and modifying practices to enhance appropriate security and privacy measures, including ongoing cybersecurity awareness of their workforce.”
Cybersecurity attacks have hammered a number of organizations around the nation. One of the biggest involved Atlanta-based data giant Equifax, where a breach last year may have compromised personal information on more than 147 million Americans.
Such incidents helped highlight the potential importance of the state’s recently opened $100 million Georgia Cyber Center in Augusta. The facility was designed to be used primarily in the training of cybersecurity experts for government and private industry.
One of the main partners involved in providing training at the new center? Augusta University.