Once again, a security breach has affected thousands of individuals exposing their data to so far unknown attackers. This time, the victim is The University of Alabama at Birmingham. Specifically, UAB Medicine disclosed a data breach that exposed patients’ information to attackers.
UAB Medicine Data Breach
UAB Medicine has disclosed a security breach that affected its electronic systems recently. The UAB Medicine data breach consequently exposed the personal information of thousands of patients to attackers.
As elaborated in their security notice, the incident happened following a phishing attack on their systems. The attacker could then gain access to the accounts of several employees as well as the payroll system.
The hackers sent an email created to look like an authentic request from an executive asking employees to complete a business survey. Despite education and training to recognize this type of phishing attack, a number of employees accessed the survey and provided their username and password to the hackers, allowing the hackers to access the employees’ email accounts as well as the payroll system.
After accessing the payroll system, hackers attempted to move automatic payroll deposits from the employees’ accounts to their own.
The attack not only affected staff but also impacted 19,557 patients. While the hackers seemingly hadn’t targeted patients’ data, they did view some of the PHI information through the compromised employee accounts. Regarding the exposed information, the notice reads,
The protected health information varied but may have included the patient’s name with one or more of the following data elements: medical record number, birth date, dates of service, location of service, diagnosis and treatment information. Social Security numbers were included for a small subset of patients.
Security Measures Underway
After the incident, UAB Medicine quickly undertook measures to contain the attack. They reset passwords for the affected accounts and secured them. Moreover, they also enlisted a cybersecurity firm to investigate the breach.
They have also notified the patients affected during this incident. Whereas, they are also arranging free credit monitoring for one year for the affected patients.
Let us know your thoughts in the comments.