Georgia-based Augusta University Health has admitted for becoming the victim of a data breach back in 2017. In the data breach, personal data of more than 417,000 patients, students, and faculty members got leaked. The breach resulted from a phishing attack. Augusta University informed about the breach in a message that read:
“It is with great regret that I tell you that Augusta University has experienced two cybersecurity incidents.”
According to reports, the health institute was attacked twice by cybercriminals, due to which private and confidential data got compromised.
The first attack occurred between Sept 10 and Sept 11, 2017. The IT security team got alerted about the attack much later though. Once they were alerted, the “impacted email accounts,” were disabled immediately, says Brooks A. Keel, the president of the institute.
The second attack was launched after July 11, 2018. Its scope was much smaller but the extent of damage is yet undisclosed by the institute but it is clear that Social Security Numbers of individuals could have been exposed. The institute has announced to offer credit protection services to the affected individuals.
Later on, Augusta University Health institute informed cybersecurity professionals about the attack and sought their help in furthering the probe. By July 31, 2018, the institute was able to determine the scope of the first attack and also the email account accessed. The investigation is still active and on-going.
“To those whose information was potentially exposed, I offer you my deepest apology and my assurance that we are working diligently to understand how this happened and to do everything we can to reduce the risk of it happening again,” stated Keel.
After the incidents, Keel implemented certain changes such as fresh leaders were roped in and various security based improvements were carried out. These include the implementation of the multi-factor verification process for off-campus system access including emails. The institute also adopted new methods of limiting email retention and a brand new policy is created to ban protected health information from being exchanged in emails.
Moreover, new tools have been incorporated to limit email retention, and automatic screening of emails to secure confidential private and hospital data. Moreover, the institute aims to initiate employee training programs to ensure that such breaches do not occur.
Reports suggest that the data breach might have exposed names, dates of birth, addresses, medications, surgeries, diagnoses, lab test results and health insurance related information of the employees and students.
According to Luke Brown, VP EMEA at WinMagic “When it comes to the protection of data, lack of safeguards, particularly encryption, is one of the most common pitfalls. Falling victim to cybercriminals is a simple matter of fact these days, and all organizations need to take precautions to mitigate the risks of an attack.”
“All sensitive data, whether it is patient details or the patent to your best-selling secret sauce, should be encrypted as a basic security practice. In the event of a data breach, encryption acts as a last line of defense making data illegible when in the hands of malicious parties,” Luke added.