UAB Medicine is notifying affected patients that criminal hackers recently gained access to certain employee email accounts containing patient information.
The hackers sent an email created to look like an authentic request from an executive asking employees to complete a business survey. Despite education and training to recognize this type of phishing attack, a number of employees accessed the survey and provided their username and password to the hackers, allowing the hackers to access the employees’ email accounts as well as the payroll system. UAB Medicine’s electronic health record and billing systems were not impacted by the attack.
UAB Medicine discovered emails had been compromised in the phishing attack Aug. 7, 2019. The affected accounts were secured upon identification, and passwords for those accounts were reset. Kroll, a leading cybersecurity firm, was engaged to assist with the investigation of the breach.
The investigation revealed the cybercriminals were attempting to divert employees’ automatic payroll deposits to an account controlled by the hackers. UAB Medicine prevented all attempts by the hackers to re-direct payroll deposits. There is no evidence the hackers were looking for, accessed or stole any protected health information contained in the compromised accounts. However, limited amounts of protected health information could have been viewed by the hackers while they had access to the affected email accounts.
As a result of this attack, UAB Medicine is notifying 19,557 patients their protected health information has been exposed and could potentially have been viewed by the hackers. The protected health information varied but may have included the patient’s name with one or more of the following data elements: medical record number, birth date, dates of service, location of service, diagnosis and treatment information. Social Security numbers were included for a small subset of patients, and those patients have been specifically notified.
UAB Medicine is encouraging affected patients to review their credit reports and insurance statements to identify any unusual or fraudulent activity that could be related to this incident. UAB Medicine is also making one year of free credit monitoring and reporting services available to affected patients. A toll-free telephone number – 877-594-0950 – has been provided for affected patients to call if they have any questions.
“UAB Medicine takes the protection of our patients’ health information very seriously and sincerely regrets this potential intrusion on your privacy,” a letter sent to affected patients read.
UAB Medicine continually trains employees regarding these types of cyberattacks and is increasing its efforts to educate employees about email and data security. The additional security protection of multifactor authentication also has been implemented for all employee emails. UAB Medicine is committed to protecting patients’ health information and will continue to take steps to prevent this type of attack from happening again.