Georgia-based Augusta University Health claimed it was notified by investigators on July 31 that a September 2017 phishing attack on hospital staff may have given the hackers access to data on around 417,000 patients.
A second phishing attack on July 11 is also being investigated, and although the HCO said it was “smaller in scope” there were no more details about those potentially affected.
The breached information apparently includes a huge variety of sensitive data such as: addresses, dates of birth, medical record numbers, medical, treatment and surgical info, diagnoses, lab results, medications, insurance information and — for a small percentage of patients — even their Social Security and driver’s license numbers.
That kind of information could be used in follow-on phishing attacks, to conduct identity fraud attempts, or even to blackmail individual patients.
The HCO claims to have seen no misuse of the information so far, although that will be little comfort to those affected.
The apparent failure in internal security and incident response processes that left the breach undetected for 10 months and subsequent delay in reporting of another fortnight would have been taken very seriously by GDPR investigators, although it’s unlikely any EU citizens’ data is among that affected.
The hospital claims to have taken several steps to improve its cybersecurity posture since, including creating a VP of compliance and risk management, implementing MFA and revising its email policies.
Luke Brown, EMEA VP at WinMagic, said that a lack of encryption is a common pitfall which comes back to haunt breached firms.
“Falling victim to cyber-criminals is a simple matter of fact these days, and all organizations need to take precautions to mitigate the risks of an attack,” he added.
“All sensitive data, whether it is patient details or the patent to your best-selling secret sauce, should be encrypted as a basic security practice. In the event of a data breach, encryption acts as a last line of defense making data illegible when in the hands of malicious parties.”