At Augusta University, our top priorities are our students, employees and our patients, and that includes our obligation to safeguard their personal and health information.
It is with great regret that I tell you that Augusta University has experienced two cybersecurity incidents.
The university has been working closely with external cybersecurity professionals to define the scope of the first incident. On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and protected health information of approximately 417,000 individuals. The investigation also determined that the incident occurred on Sept. 10-11, 2017.
A second phishing attack occurred July 11, 2018, and appears to be smaller in scope.
When our IT Security team became aware of the September attack, they acted immediately: disabling the impacted email accounts, requiring password changes and monitoring our systems for additional suspicious activity. Shortly thereafter we engaged external cybersecurity experts to determine the extent of the attack.
While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time.
We are reporting the results of our investigation to all appropriate law enforcement and state and federal regulatory agencies.
Our IT staff also reacted quickly to contain the July 11, 2018, attack. The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway. We have again engaged experts in this area to support our work. I will share the results of that investigation with our community as soon as I am able.
To those of you whose information was potentially exposed, I offer you my deepest apology and my assurance that we are working diligently to understand how this happened and to do everything we can to reduce the risk of it happening again.
In an effort to strengthen our systems against future attacks, I have made changes in key leadership and called for the accelerated implementation of some initiatives that were already underway.
All potentially affected identifiable individuals will be personally notified, and those whose Social Security number may have been compromised will be offered free credit protection. Additional steps to safeguard personal information are described at augusta.edu/notice.
I am grateful for the work that each of you do every day to fulfill the mission of Augusta University. I appreciate your support as we work together to continuously improve our institutional cybersecurity.
Brooks A. Keel, PhD
President, Augusta University
CEO, AU Health