Cyber Incident Victim: Augusta University Health
Date:
Apr 2017
Location:
United States of America
Summary
A phishing attack compromised two employee email accounts at Augusta University Health, exposing sensitive patient data including names, Social Security numbers, medical records, and financial information. The breach affected fewer than 1% of patients, prompting credit monitoring offers for those with exposed SSNs; response measures included disabling accounts and password resets. This incident mirrored a prior phishing breach at the health system, with both cases involving delayed notifications—taking five months post-incident for the latter—and extended investigation periods.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2017, Augusta University Medical Center experienced a phishing attack that compromised two employee email accounts between April 20 and April 21. The breach was discovered at an unspecified date, prompting an investigation that concluded on July 18, 2017. Upon detection, the organization disabled access to the affected accounts and reset passwords. The investigation could not confirm whether attackers accessed or copied sensitive patient information stored in the emails. Exposed data included patient names, addresses, dates of birth, driver’s license numbers, financial account details, prescription information, diagnoses, treatment records, medical record numbers, and Social Security numbers. The scope of information varied per individual, with fewer than 1% of the medical center’s patients impacted. Notifications to affected patients occurred five months after the initial compromise, in September 2017. Augusta University Health offered credit monitoring and identity theft protection services specifically to patients whose Social Security numbers were exposed.
This incident followed a nearly identical phishing attack at the same institution between September 7-9, 2016, where a small number of employees disclosed email credentials in response to phishing attempts. The 2016 breach investigation concluded on March 29, 2017—over six months post-incident—with patient notifications occurring within 60 days of the investigation’s completion. The 2016 breach was reported to the HHS Office for Civil Rights on May 26, 2017. Both breaches exposed similar categories of sensitive data, though organizational responses differed in timing: The 2016 breach saw immediate password resets for all employees upon discovery, while the 2017 breach involved a three-month investigation period before notifications were delayed an additional two months. Neither investigation confirmed data exfiltration, but the repeated incidents highlighted persistent phishing vulnerabilities affecting employee email systems.