Cyber Incident Victim: Augusta University Health
Date:
Sep 2017
Location:
United States of America
Summary
A phishing attack compromised email accounts at Augusta University Health, potentially exposing sensitive health and personal information of approximately 417,000 individuals, primarily patients across multiple medical facilities and clinics. The breach involved unauthorized access to faculty and administrative email accounts, potentially revealing patient names, diagnoses, treatment details, insurance information, and—for a limited subset—Social Security and driver's license numbers. The institution disabled affected accounts, mandated password resets, and initiated notifications to impacted individuals, offering credit monitoring to those with exposed Social Security numbers. Concurrently, it investigated another separate phishing incident. This marked the third such attack on the organization's systems in recent years, highlighting ongoing cybersecurity challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 11, 2017, Augusta University Health discovered an intrusion into its email systems that occurred over two days (September 10-11, 2017). The breach stemmed from a phishing attack that compromised 24 faculty and administrative email accounts. The university immediately disabled affected accounts, forced password resets, and initiated monitoring for suspicious activity. External investigators later determined on July 31, 2018, that the breach exposed sensitive information of approximately 417,000 individuals—primarily patients of Augusta University Medical Center, Children’s Hospital of Georgia, and over 80 outpatient clinics statewide, along with some faculty and students. Exposed data included patient names, addresses, diagnoses, medications, lab results, dates of birth, treatment details, medical record numbers, surgical information, dates of service, and insurance data. Social Security numbers and driver’s license numbers were potentially compromised for a small percentage of individuals. Investigators reviewed 364,000 emails and attachments, some dating back years, to assess the scope. The university concurrently disclosed a separate, smaller phishing incident from July 11, 2018, under investigation at the time of the announcement.
Augusta University began notifying affected individuals and regulatory agencies starting August 16, 2018, with letters scheduled for mailing within a week. Those with exposed Social Security numbers were offered one year of free credit monitoring. The university established a dedicated toll-free hotline and informational website for inquiries. This marked at least the third phishing incident since 2016, with prior breaches affecting 4,700 individuals in 2016 and 5,600 in April 2017. In those cases, compromised emails contained similar sensitive data—including financial details, prescriptions, diagnoses, and treatment information—though investigators could not confirm unauthorized access. The university reiterated its implementation of planned security enhancements and apologized for the incident, emphasizing ongoing efforts to safeguard privacy. No misuse of exposed information had been reported at the time of disclosure.