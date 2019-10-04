BIRMINGHAM, Ala. (WBRC/UAB MEDIA) - Some patients at UAB are being told that hackers recently gained access to certain employee email accounts containing patient information.
A press release from UAB Friday said hackers sent an email created to look like an authentic request from an executive asking employees to complete a business survey. Despite education and training to recognize this type of phishing attack, a number of employees accessed the survey and provided their username and password to the hackers, allowing the hackers to access the employees’ email accounts as well as the payroll system.
UAB Medicine is notifying 19,557 patients their protected health information has been exposed and could potentially have been viewed by the hackers.
UAB Medicine’s electronic health record and billing systems were not impacted by the attack.
UAB Medicine discovered the phishing attack Aug. 7, 2019. The affected accounts were secured upon identification, and passwords for those accounts were reset.
An investigation revealed the cybercriminals were attempting to divert employees’ automatic payroll deposits to an account controlled by the hackers. UAB Medicine prevented all attempts by the hackers to re-direct payroll deposits. There is no evidence the hackers were looking for, accessed or stole any protected health information contained in the compromised accounts. However, limited amounts of protected health information could have been viewed by the hackers while they had access to the affected email accounts.
The statement said the protected health information varied but may have included the patient’s name with one or more of the following data elements: medical record number, birth date, dates of service, location of service, diagnosis and treatment information. Social Security numbers were included for a small subset of patients, and those patients have been specifically notified.
UAB Medicine is encouraging affected patients to review their credit reports and insurance statements to identify any unusual or fraudulent activity that could be related to this incident. UAB Medicine is also making one year of free credit monitoring and reporting services available to affected patients.
A toll-free telephone number 1-877-594-0950 has been provided for affected patients to call if they have any questions.
“UAB Medicine takes the protection of our patients’ health information very seriously and sincerely regrets this potential intrusion on your privacy,” a letter sent to affected patients read.
