Because of a phishing attack on August 7, 2019, UAB Medicine is notifying its patients about the compromise of several email accounts of UAB Medical Center in Birmingham, AL employees that the attackers potentially accessed.
Upon learning about the breach, UAB changed the passwords of the affected email accounts to stop further access by unauthorized persons and UAB Medicine hired a top-rated cybersecurity company to investigate the incident.
An examination of the breached email accounts showed that the messages contained 19,557 patients’ protected health information (PHI), which included names and at least one of the following information: medical record number, birth date, dates and location of service, diagnoses, and treatment data. The Social Security number of some patients were likewise exposed.
UAB Medicine employees have undergone security awareness training and know how to recognize phishing email messages. However, in spite of being trained, a number of employees replied to the phishing emails and revealed their email account login details. The attackers used that information to access the employees’ email accounts as well as the payroll system. According to the health system, the attackers emailed a phony business survey which they made to appear that have come from the email account of an executive from within the organization.
It seems that the motive behind the attack was to access the payroll system to redirect the payroll deposits of employees. UAB detected the attack and stopped it before payroll deposits were rerouted. Although it is probable that the attackers have seen or copied patient data, there is no proof that indicates the unauthorized access or exfiltration of data. There is also no report received concerning the misuse of the PHI of patients.
The affected persons were instructed to watch out for indications of fraudulent transactions on their accounts and explanation of benefits statements. They were provided free subscription to credit monitoring and identity theft protection services for 12 months. UAB has taken the required steps to strengthen email security and prevent identical breaches from happening again.