Notice to our Patients of Email Phishing Incident
March 24, 2017
Washington University School of Medicine is committed to protecting the security and confidentiality of our patients’ information. We regret, however, that information about some of our patients may have been accessed by an unauthorized third party due to an email “phishing” incident.
On January 24, 2017, the medical school learned that some of its employees responded to a Dec. 2, 2016, “phishing” email, believing it to be a legitimate request. A “phishing” email is designed to look like a legitimate email but tricks the recipient into taking some action, such as providing login credentials. Upon learning of the incident, we secured the email accounts and began an investigation. The investigation could not rule out that an unauthorized third party may have gained access to some employees’ email accounts. We conducted a detailed review of the employees’ email accounts and confirmed that some of the emails contained patient information, which may have included names, birth dates, medical record numbers, diagnosis and treatment information, other clinical information, and in some instances Social Security numbers. We reported the phishing incident to law enforcement and are cooperating with the investigation.
We have no indication that the information in the emails has been misused. However, as a precaution, we began mailing letters to affected patients on March 24, 2017, and have established a dedicated call center to answer any questions patients may have. If you believe you may be affected and have not received a letter by April 24, 2017, or if you have any questions regarding this incident, please call 844-641-5630. The call center is open Monday through Friday from 9 a.m. to 5 p.m. central time.
We regret any inconvenience this incident may have caused our patients. To help prevent such incidents in the future, we are reinforcing education with our staff and faculty of existing protocols and university resources regarding “phishing” emails. We also are reviewing enhancements to strengthen our business practices and user login authentication process.