Phishing Attack on UAB Medicine impacted more than 19,500 Patients

The UAB (University of Alabama) Medicine is notifying patients regarding a phishing attack on Aug. 7, 2019, as a result of which email accounts of a number of UAB Medical Center employees in Birmingham city, Alabama, were accessed by attackers.

The hackers have sent an email looking like a genuine request from executive, which asked the employees to complete one business survey. Although the employees have received education as well as training for recognizing the phishing attacks, still "a number of employees accessed the survey and provided their username and password to the hackers". Due to which, the cybercriminals were successful in accessing the payroll system as well as the email accounts of employees. EHR as well as billing systems of the UAB Medicine remain unimpacted in this hack.

Once this breach was discovered, the email accounts were secured and the passwords of compromised email accounts have been changed in order to prevent more unauthorized access. UAB Medicine has engaged Kroll, a leading cybersecurity company, for assisting in the investigation of this breach.

As per the officials, the investigation has determined that the hackers were trying to divert automatic payroll deposits of the employees to an account that was controlled by hackers. UAB Medicine has successfully prevented all the attempts of the hackers to re-direct payroll deposits. Although it could be possible that attackers have viewed and/or copied the patient information, no proof of unauthorized PHI (Protected Health Information) access or data exfiltration has been identified and also there were no reports of patients' PHI misuse.

An analysis of compromised email accounts has revealed that they contained protected health information of 19,557 patients, which includes names along with one or more of following data elements: date of birth, medical record number, location of service, dates of service, diagnoses, as well as treatment information. A few patients Social Security number was also exposed.

Affected patients were encouraged by UAB Medicine to review their insurance statements and credit reports to identify any fraudulent or unusual activity related to this phishing incident. UAB Medicine has been also offering 12 months' of identity theft protection and credit monitoring services free of cost to the affected patients.

"UAB Medicine takes the protection of our patients' health information very seriously and sincerely regrets this potential intrusion on your privacy," letter sent to the affected patients read.

» SPAMfighter News - 10/31/2019