2 attacks imperil info for 417,000 at Augusta University Health System

Two cyberattacks at a Georgia health system has put the personal and protected health information of approximately 417,000 individuals at risk.

Augusta University Health System has been working with cybersecurity professionals to define the scope of the first breach and on July 31, 2018, determined that email accounts accessed earlier by an unauthorized person were the source of the large breach, which initially occurred on September 10 and 11, 2017.

“When our IT security team became aware of the September attack, they acted immediately by disabling the impacted email accounts, requiring password changes and monitoring our systems for additional suspicious activity,” said Brooks A. Keel, president of Augusta University, in a message to patients, students and employees.

A second phishing attack this past July 11 appears to be smaller in scope, although the extent of that breach was not made public.

The investigation of the most recent attack in July remains active, Keel said. “We have again engaged experts in this area to support our work.”

Augustahealth-CROP.jpg

Also See: Boys Town Hospital cyberattack affects records of 105,000 patients

“To those whose information was potentially exposed, I offer you my deepest apology and my assurance that we are working diligently to understand how this happened and to do everything we can to reduce the risk of it happening again,” he added.

Keel also made personnel changes following the incidents, bringing in fresh leaders and direction to the organization’s compliance functions. Other security improvements include implementation of multi-factor authentication for off-campus email and system access, adoption of solutions to limit email retention, a new policy to ban protected health information in email communications, tools to automatically screen emails for protected health information or personally identifiable information, and additional employee training on preventing breaches.

An undisclosed number of individuals whose Social Security numbers may have been exposed will receive credit protection services. To date, no misuse of protected information has been reported, according to the university.

Augusta University Health System declined to provide additional details about the incident.

For reprint and licensing requests for this article, click here.