Cyber Incident Victim: UAB Medicine
Date:
Aug 2019
Location:
United States of America
Summary
A phishing attack compromised a medical center's payroll department after employees provided credentials to fraudulent emails impersonating an executive, enabling unauthorized access to employee email accounts containing protected health information. Although the attackers failed to divert payroll payments, they exposed sensitive patient data including names, birth dates, diagnoses, treatment details, and some Social Security numbers for nearly 20,000 individuals. The organization notified affected patients, enhanced employee cybersecurity training, and implemented multifactor authentication for email accounts to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 7, 2019, attackers initiated a phishing campaign against UAB Medicine by sending fraudulent emails to employees impersonating an executive. These emails solicited participation in a fabricated survey that requested recipients to submit their usernames and passwords. Several employees complied, enabling unauthorized access to their email accounts. The compromised credentials allowed attackers to infiltrate the organization’s payroll system, where they attempted to reroute employee direct deposits to attacker-controlled bank accounts. While these payment diversion efforts were unsuccessful, the breach exposed the contents of multiple employee email accounts. A subsequent investigation revealed these accounts contained protected health information (PHI) for 19,557 patients, including names, birth dates, medical record numbers, dates and locations of service, diagnosis details, and treatment information. A limited subset of 19 individuals also had Social Security numbers exposed. No other systems or databases beyond the targeted email accounts and payroll platform were accessed during the incident.
UAB Medicine confirmed the breach’s scope through forensic analysis and began notifying all affected patients by October 2019. Specific guidance was provided to monitor credit reports and insurance statements for fraudulent activity, with additional direct notifications sent to patients whose Social Security numbers were compromised. In response to the attack, the institution reinforced existing cybersecurity protocols by expanding mandatory employee training programs focused on phishing recognition and email security best practices. Multifactor authentication (MFA) was implemented across all employee email accounts as an additional security layer. Organizational statements emphasized continuous commitment to patient data protection and ongoing efforts to prevent similar incidents, though no technical details regarding detection methods or containment timelines were disclosed publicly. The breach exclusively impacted data residing within individual email accounts, with no evidence of systemic electronic health record (EHR) or clinical database infiltration.