At Augusta University, our top priorities are our students, employees and our patients, and that includes our obligation to safeguard their personal and health information.

It is with great regret that I tell you that Augusta University has experienced two cybersecurity incidents.

The university has been working closely with external cybersecurity professionals to define the scope of the first incident. On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals. The investigation also determined that the incident occurred on Sept. 10-11, 2017.

A second phishing attack occurred July 11, 2018, and appears to be smaller in scope.

When our IT Security team became aware of the September attack, they acted immediately:  disabling the impacted email accounts, requiring password changes and monitoring our systems for additional suspicious activity. Shortly thereafter we engaged external cybersecurity experts to determine the extent of the attack.

While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time.

We are reporting the results of our investigation to all appropriate law enforcement and state and federal regulatory agencies.

Our IT staff also reacted quickly to contain the July 11, 2018, attack. The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway. We have again engaged experts in this area to support our work. I will share the results of that investigation with our community as soon as I am able.

To those of you whose information was potentially exposed, I offer you my deepest apology and my assurance that we are working diligently to understand how this happened and to do everything we can to reduce the risk of it happening again. 

In an effort to strengthen our systems against future attacks, I have made changes in key leadership and called for the accelerated implementation of some initiatives that were already underway.

  • I have created a new position of Vice President for Audit, Compliance, Ethics and Risk Management to bring fresh leadership and direction to our compliance functions. I have asked Clay Sprouse to serve in that role as the interim. It will be his duty to ensure that any potential risks are identified and addressed appropriately by my leadership team.
  • Multifactor authentication for off-campus email and system access is currently being implemented.
  • IT will review and adopt solutions to limit email retention.
  • The leadership in AU Health will immediately take steps to implement a policy banning protected health information in email communications.
  • IT will review and adopt solutions to automatically screen emails for protected health information or personally identifiable information and prevent them from sending.
  • Additional employee training on their critical role in preventing security breaches will be provided this fall.

All potentially affected identifiable individuals will be personally notified, and those whose Social Security number may have been compromised will be offered free credit protection. Additional steps to safeguard personal information are described at

I am grateful for the work that each of you do every day to fulfill the mission of Augusta University. I appreciate your support as we work together to continuously improve our institutional cybersecurity.

Brooks A. Keel, PhD
President, Augusta University
CEO, AU Health