At Augusta University, our top priorities are our students, employees and our patients, and that includes our obligation to safeguard their personal and health information.
At Augusta University, our top priorities are our students, employees and our patients, and that includes our obligation to safeguard their personal and health information.It is with great regret that I tell you that Augusta University has experienced two cybersecurity incidents.The university has been working closely with external cybersecurity professionals to define the scope of the first incident. On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals. The investigation also determined that the incident occurred on Sept. 10-11, 2017. Continue Reading
We regret to inform you that a phishing attack on Augusta University’s email accounts may have led to the unauthorized access of protected health information and other personal information. The university has been working closely with external cybersecurity professionals to define the scope of this incident.
Augusta University was targeted by a series of fraudulent emails on Sept. 10-11, 2017. These sophisticated “phishing” emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts.
Upon recognizing the nature of the attack, we acted promptly to stop the intrusion: disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.
On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals.
Augusta University will mail notification letters via U.S. Mail in the coming weeks to individuals whose information was compromised by this incident (where last known home address was available).
We deeply regret this incident and the concern it has caused our students, employees and patients. In response, we have taken or will be promptly initiating several actions to protect against future incidents, including:
In some cases, patient information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information.
For a small percentage, information that may have been viewed included a Social Security number and/or driver’s license number.
Augusta University will offer free credit monitoring services for one year to individuals whose Social Security number was included in the compromised email accounts. If eligible, instructions on how to enroll are included in the notification letters that will be mailed to the impacted individual’s last known home address.
We encourage impacted individuals to remain vigilant in reviewing their financial account statements for fraudulent or irregular activity on a regular basis. Below is information about other precautionary measures impacted individuals can take, including placing a fraud alert and/or security freeze on credit files and obtaining a free credit report if Social Security number is impacted.
For individuals who have any questions or concerns regarding this incident, or to determine if your information was contained in compromised email accounts, please call our dedicated and confidential toll-free response line that we have set up to respond to questions at 1-877-327-1090. This response line is staffed with professionals familiar with this incident and knowledgeable on what patients can do to protect against misuse of their information. The response line is available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time.
We have no information to date indicating that your Protected Health Information (PHI) involved in this incident was or will be used for any unintended purposes. As a general matter, however, the following practices can help to protect patients from medical identity theft.
You may place an initial 90-day “Fraud Alert” on your credit files, at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.
P.O. Box 105069
Atlanta, GA 30348
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer's credit report without the consumer's written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. If you have been a victim of identity theft and you provide the credit bureau with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit bureau may charge you a fee to place, temporarily lift or permanently remove a security freeze. Fees vary based on where you live, but commonly range from $3 to $15. You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver's license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence. To find out more on how to place a security freeze, you can use the following contact information:
Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
Experian Security Freeze
PO Box 9554
Allen, TX 75013
TransUnion Security Freeze
P.O. Box 2000
Chester, PA 19016
Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
Iowa Residents: You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity theft: Office of the Attorney General of Iowa, Consumer Protection Division, Hoover State Office Building, 1305 East Walnut Street, Des Moines, IA 50319, www.iowaattorneygeneral.gov, Telephone: (515) 281-516
North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Department of Justice, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, Telephone: 877-566-7226.