Augusta University Health System, based in Augusta, Georgia, has reported that a phishing attack on email accounts that occurred last fall may have led to the unauthorized access of protected health information (PHI) of approximately 417,000 individuals.
In a notice posted on its website, Augusta University officials said the organization was targeted by a series of fraudulent emails on Sept. 10-11, 2017. “These sophisticated phishing emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts,” officials said.
A second phishing attack occurred July 11, 2018, and appears to be smaller in scope, Augusta University President Brooks Keel, Ph.D., wrote in a separate message.
Augusta University officials said that, upon recognizing the nature of the attack, security leaders took action to stop the intrusion, including disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.
On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user…