Faculty members fooled by phishing attack at Georgia hospital
Augusta University Medical Center in Georgia recently learned that multiple faculty members were victimized by a phishing attack on their email systems, and it now is notifying 6,109 affected patients.
Phishing attacks fool individuals into clicking on malicious links or opening malicious documents via a received email that appears to be legitimate.
The medical center discovered the breach on July 18; forensics investigators later determined that the breach occurred between April 20 and 21. However, it could not be determined if protected health information was actually accessed, viewed, downloaded or otherwise acquired by an unauthorized user.
The organization conducts routine in-house phishing attacks to determine if employees are getting fooled and re-educates them on security protocols, says Jim Rush, chief integrity officer. The training can cut down on attacks yet won’t stop all incursions, he adds. “The attackers are really good at what they do; they really have emails that look legitimate. It is easy to fall prey to this.”
The medical center has protocols in place for employees to forward suspicious emails for evaluation by security experts, and to also forward any external emails for examination.
Compromised information could have included patient names, home addresses, dates of birth, financial account information, driver’s license numbers, medical record numbers, insurance information, prescriptions, diagnosis and condition, and treatment information.
Since the incident, Augusta University Medical Center has disabled impacted email accounts, tightened password requirements and increased monitoring of certain accounts, among other remediation.
Approximately 36 affected individuals with compromised Social Security numbers have been offered one year of credit monitoring and identity theft restoration services, Rush says.