AUGUSTA, Ga. -- Augusta University was targeted by phishing emails that campus officials say solicited usernames and passwords to access some internal email accounts.
The attack may have led to unauthorized access of protected health information and other personal information. The university president, Dr. Brooks Keel, released a statement on the school's website explaining what happened.
"It is with great regret that I tell you that Augusta University has experienced two cybersecurity incidents," the message said.
On July 31, investigators said email accounts accessed Sept. 10 through 11, 2017 by an unauthorized user may have given them access to the personal and protected health information of about 417,000 individuals.
The second attack, which happened July 11, appears to be smaller in scope.
"When our IT Security team became aware of the September attack, they acted immediately: disabling the impacted email accounts, requiring password changes and monitoring our systems for additional suspicious activity. Shortly thereafter we engaged external cybersecurity experts to determine the extent of the attack," Dr. Keel said.
"To those of you whose information was potentially exposed, I offer you my deepest apology and my assurance that we are working diligently to understand how this happened and to do everything we can to reduce the risk of it happening again."
The university is taking steps to enhance procedures, including creating a new position to ensure that any potential risks are identified and addressed appropriately.
Keel also said a multifactor authentication of off-campus email and system access is being implemented and AU Health is taking steps to create a policy that will ban protected health information in emails.
For those affected, the university has place additional information on its website on actions to take to protect yourself. You can also contact the toll-free call center from 9 a.m. to 9 p.m. Monday through Friday at 1-877-327-1090.
