At Augusta University, our top priorities are our students, employees and our patients, and that includes our obligation to safeguard their personal and health information.

Augusta University has experienced two cybersecurity incidents. Read details of the incidents below or see a list of frequently asked questions

 

Message from the President

At Augusta University, our top priorities are our students, employees and our patients, and that includes our obligation to safeguard their personal and health information.It is with great regret that I tell you that Augusta University has experienced two cybersecurity incidents.The university has been working closely with external cybersecurity professionals to define the scope of the first incident. On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals. The investigation also determined that the incident occurred on Sept. 10-11, 2017. Continue Reading

Updated on August 17, 2018Notice Regarding Security Incident


We regret to inform you that a phishing attack on Augusta University’s email accounts may have led to the unauthorized access of protected health information and other personal information. The university has been working closely with external cybersecurity professionals to define the scope of this incident.

What Happened?

Augusta University was targeted by a series of fraudulent emails on Sept. 10-11, 2017. These sophisticated “phishing” emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts.

Upon recognizing the nature of the attack, we acted promptly to stop the intrusion: disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.

On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals.

Augusta University will mail notification letters via U.S. Mail in the coming weeks to individuals whose information was compromised by this incident (where last known home address was available).

We deeply regret this incident and the concern it has caused our students, employees and patients. In response, we have taken or will be promptly initiating several actions to protect against future incidents, including:

  • Installing new leadership in a number of critical areas
  • Implementing multifactor authentication for off-campus email and system access
  • Review and adoption of solutions to limit email retention
  • Implementing policy and procedure changes regarding protected health information in email communications
  • Employing software to screen emails for protected health information or personally identifiable information to prevent them from sending
  • Increasing employee training on their critical role in preventing security breaches
  • Enhancing our compliance-related policies and procedures

What Information Was Involved?

In some cases, patient information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information.

For a small percentage, information that may have been viewed included a Social Security number and/or driver’s license number.

What Should Impacted Individuals Do Next?

Augusta University will offer free credit monitoring services for one year to individuals whose Social Security number was included in the compromised email accounts. If eligible, instructions on how to enroll are included in the notification letters that will be mailed to the impacted individual’s last known home address.

We encourage impacted individuals to remain vigilant in reviewing their financial account statements for fraudulent or irregular activity on a regular basis. Below is information about other precautionary measures impacted individuals can take, including placing a fraud alert and/or security freeze on credit files and obtaining a free credit report if Social Security number is impacted.

For More Information

For individuals who have any questions or concerns regarding this incident, or to determine if your information was contained in compromised email accounts, please call our dedicated and confidential toll-free response line that we have set up to respond to questions at 1-877-327-1090.  This response line is staffed with professionals familiar with this incident and knowledgeable on what patients can do to protect against misuse of their information. The response line is available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time.

Privacy Safeguards Information

Protecting Your Health Information

We have no information to date indicating that your Protected Health Information (PHI) involved in this incident was or will be used for any unintended purposes. As a general matter, however, the following practices can help to protect patients from medical identity theft.

  • Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
  • Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
  • Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.
  • Remain vigilant in reviewing your account statements regularly for fraudulent or irregular activity.

Additional Privacy Safeguards Information

Placing a Fraud Alert

You may place an initial 90-day “Fraud Alert” on your credit files, at no charge.  A fraud alert tells creditors to contact you personally before they open any new accounts.  To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below.  As soon as one credit bureau confirms your fraud alert, they will notify the others. 

Equifax
P.O. Box 105069
Atlanta, GA 30348
www.equifax.com
1-800-525-6285

Experian
P.O. Box 2002
Allen, TX 75013
www.experian.com
1-888-397-3742

TransUnion
P.O. Box 2000
Chester, PA 19016
www.transunion.com
1-800-680-7289

Placing a Security Freeze on Your Credit File

You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer's credit report without the consumer's written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. If you have been a victim of identity theft and you provide the credit bureau with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit bureau may charge you a fee to place, temporarily lift or permanently remove a security freeze. Fees vary based on where you live, but commonly range from $3 to $15. You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver's license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence. To find out more on how to place a security freeze, you can use the following contact information:

Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
freeze.equifax.com
1-800-685-1111

Experian Security Freeze
PO Box 9554
Allen, TX 75013
experian.com/freeze
1-888-397-3742

TransUnion Security Freeze
P.O. Box 2000
Chester, PA 19016
transunion.com/securityfreeze
1-888-909-8872

Obtaining a Free Credit Report

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com.  Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize.  Verify all information is correct.  If you have questions or notice incorrect information, contact the credit reporting company.

Additional Helpful Resources

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report.  Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts.  You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.  Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

State Information as applicable

Iowa Residents: You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity theft:  Office of the Attorney General of Iowa, Consumer Protection Division, Hoover State Office Building, 1305 East Walnut Street, Des Moines, IA 50319, www.iowaattorneygeneral.gov, Telephone: (515) 281-516

North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Department of Justice, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, Telephone: 877-566-7226.

Frequently Asked Questions


What happened?

Augusta University was targeted by a series of fraudulent emails. These sophisticated “phishing” emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts. 

How did Augusta University respond?

Upon recognizing the nature of the attack, we acted promptly to stop the intrusion: disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.  

We simultaneously started an investigation into the incident and retained external cybersecurity professionals to analyze the extent of any compromise to the email accounts.

On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals. The forensic investigation determined that the compromise of the email accounts occurred during a limited period of time on September 10-11, 2017.

Will I receive a notification from Augusta University?

We will send notification letters via U.S. mail to affected individuals for whom it has addresses. We will provide substitute notice for affected individuals for whom we do not have addresses.

Who is affected?

Some individuals within the following categories may be impacted:  patients, students, employees and their dependents, some applicants to Augusta University and some who asked that their FAFSA data be sent to AU.

How can I determine if my information is affected?

You may call our toll-free call center from 9 a.m. to 9 p.m. Monday through Friday at 1-877-327-1090.

Why did Augusta University have my information?

If you are a patient, you provided AU Health with some of your protected health information or personal information in connection with medical services provided to you by an AU Health provider. For students and employees, personally identifiable information is part of your student or employee record.

What types of protected information are potentially involved?

The compromised email accounts that were accessed contained name and/or one or more of the following: date of birth, address, driver’s license number, medical record number, insurance information, prescription information, medical information, surgical information, diagnosis/condition, lab results, dates of service, treatment information, Social Security number and/or financial account information. If your Social Security number and/or financial account information was compromised and we have your mailing address, you will be notified in your notice letter.

Will credit monitoring be offered?

Affected individuals with Social Security numbers involved will be offered complimentary credit monitoring and identity theft restoration services, which will be explained in detail in the notice letters that will be mailed to individuals’ home addresses.

Why is Augusta University not offering credit monitoring to certain individuals?

While some individuals’ protected health information or personal information may have been contained in compromised email accounts, not all individuals’ Social Security numbers and/or driver’s license numbers were contained within the compromised accounts and are not at risk as a result of this incident. Since a credit monitoring service does not track activity related to medical, health or insurance information, credit monitoring would not be an effective way to track that information. Instead, individuals should review their “explanation of benefits statement” which they receive from their health insurance company.  Follow up with the insurance company or care provider for any items not recognized.

When was the information available to the unauthorized person(s)?

The forensic investigation concluded that the compromise of the email accounts occurred during a limited period of time on September 10-11, 2017. Therefore, the information could have been available to the unauthorized individual(s) on September 10-11, 2017.

What has the unauthorized person(s) done with my information?

To date, we are unaware of any actual or attempted misuse of your information resulting from this incident.

As a result of this incident, will I become a victim of identity theft?

To date, we are unaware of any actual or attempted misuse of your information resulting from this incident.

How can I protect my health information?

We have no information to date indicating that your protected health information involved in this incident was or will be used for any unintended purposes. As a general matter, however, the following practices can help to protect you from medical identity theft.

  • Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
  • Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or the care provider for any items you don’t recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (September 10, 2017) to current date.
  • Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow-up with your insurance company or care provider for any items you don’t recognize.

Why was there a delay in notification of this incident?

The attackers gained access to 24 employee email accounts, which were promptly identified and secured.  Some of these email accounts contained spreadsheets of information. Investigators had to manually review more than 364,000 emails and attachments. Unfortunately this complex review took a long time. We also identified a number of areas in which we will strengthen our cybersecurity.

Should I close my bank account?

If your notice letter states your financial account information was included you should contact your financial institution to determine if you should close your bank account. It is good practice to review your financial account statements on a regular basis and always be attentive when reviewing account information.

Should I cancel my credit card?

If your notice letter states that your credit card information was included, you should contact your credit card company to determine if you should close your account. It is good practice to review your financial account statements on a regular basis and always be attentive when reviewing account information.

Is my personal information safe with Augusta University?

Yes. The security of your personal information is critically important to us, and we take this responsibility very seriously. We have installed new leadership in critical areas and implemented several new policies, procedures and trainings to help prevent against future exposure.

What is Augusta University doing in light of this incident?

Upon learning of the attack, we promptly disabled the impacted email accounts, required password changes for the compromised accounts, and maintained heightened monitoring of the accounts. We are committed to maintaining the privacy of patient and personal information, and will continually evaluate and modify practices to enhance appropriate security and privacy measures including ongoing cybersecurity awareness for our workforce.

We have also appointed new leadership in key areas and are adding more sophisticated authentication procedures, changing information management policies, and adding technical screening to our email system. In addition, we are enhancing compliance staffing and training. Further, we are devoting considerable resources to ensure that the affected individuals are fully informed and protected as a result of this unfortunate incident.

What can I do now to protect myself?

We suggest you consider taking the following steps:

  • Enroll in the credit monitoring services offered at no cost to you if included in your notice letter. (If you are eligible to enroll in credit monitoring services, enrollment instructions are contained in your notice letter);
  • Place a Fraud Alert on your credit files;
  • Obtain a free credit report;
  • Take steps to protect your health and insurance information.

What is a fraud alert?

A fraud alert tells creditors to contact you personally before they open any new accounts.

How do I place a fraud alert on my account?

In order to place a fraud alert, you will need to call any one of the three major credit bureaus. (As soon as one credit bureau confirms your fraud alert, they will notify the others to place fraud alerts).

Equifax
P.O. Box 105069
Atlanta, GA 30348
www.equifax.com
1-800-525-6285

Experian
P.O. Box 2002
Allen, TX 75013
www.experian.com
1-888-397-3742

TransUnion
P.O. Box 2000
Chester, PA 19016
www.transunion.com
1-800-680-7289

How long does a fraud alert last?

An initial fraud alert lasts 90 days and it is free; you may then renew the fraud alert for an additional 90 days.

Will a fraud alert stop me from using my credit cards?

No. A fraud alert will not stop you from using your credit cards or other accounts.

Can I still apply for a credit card after I place a fraud alert on my credit report?

Yes, but the verification process may be more cumbersome or may require more steps. Potential creditors will receive a message alerting them to the possibility of fraud and that creditors should re-verify the identity of a person applying for credit.

How do I place a Security Freeze on my credit files?

If you are very concerned about becoming a victim of fraud or identity theft, you may request a “Security Freeze” be placed on your credit file. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by sending a request in writing, by mail, to all three nationwide credit reporting companies. To find out more on how to place a security freeze, you can use the following contact information:

Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
freeze.equifax.com
1-800-685-1111

Experian Security Freeze
PO Box 9554
Allen, TX 75013
experian.com/freeze
1-888-397-3742

TransUnion Security Freeze
P.O. Box 2000
Chester, PA 19016
transunion.com/securityfreeze
1-888-909-8872

What should I do if I find suspicious activity on my credit reports or other accounts?

Promptly call your local law enforcement agency and file a police report. Get a copy of the police report, as many creditors will want the information it contains to absolve you of fraudulent debts. You may also file a complaint with the FTC at www.ftc.gov/idtheft or reach the FTC at 1-877-IDTHEFT (1-877-438-4338) or 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations.

When I called to place a fraud alert, they asked for my Social Security number. Is this ok?

Yes. The credit bureaus will indeed ask for your Social Security number and other personal information to verify your identity and avoid sending any credit report or correspondence to the wrong individual. However, we caution against you providing any information to any entity or person contacting you directly asking for your personal information.

How do I obtain a free credit report?

Under federal law, you are entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit report company.