A phishing attack aimed at the email accounts of 24 university faculty and administrators at Augusta University Health led to the exposure of medical and personal information on about 417,000 individuals.
“No misuse of information has been reported at this time,” Augusta University President Brooks Keel said in a release. “We are quickly working to implement several planned information security enhancements and will continue to look for ways to safeguard patient and personal privacy.”
The university discovered the intrusion by an unauthorized third party on Sept. 11, 2017, one day after the incident began, but only realized data had been breached through a report from outside security investigators on July 31, according to a report in the Atlanta Journal Constitution. The university is also looking into a second, smaller phishing attack that occurred on July 11.
“Email phishing shows no sign of stopping anytime soon and there is little defense to protect an endpoint where the user unknowingly cooperates with the attacker by clicking within the email,” said Pravin Kothari, CEO of CipherCloud, pointing to Augusta University’s “relatively strong cyberdefense resources” that include a recently opened $100 million cybersecurity center. “Phishing attacks will continue to work, and without major changes in cyber defense strategy, these attackers will continue to get in and steal your data.”