Washington University School of Medicine in St. Louis announced today that it is notifying patients of a recent email phishing incident that affected a limited number of email accounts. The school reported the phishing incident to law enforcement and is cooperating with the investigation.
On January 24, 2017, the medical school learned that some of its employees responded to a December 2, 2016 “phishing” email, believing it to be a legitimate request. The school secured the email accounts and began an investigation. The investigation could not rule out that an unauthorized third party may have gained access to some employees’ email accounts. After a detailed review of the affected email accounts, it was confirmed that some of the emails contained patient information, which may have included names, birth dates, medical record numbers, diagnosis and treatment information, and in some instances Social Security numbers.
The incident did not affect all patients. The medical school began mailing letters to affected individuals on March 24, and is offering a year of credit monitoring and identity protection services for those individuals whose Social Security numbers were involved. The School of Medicine has established a dedicated call center to answer patients’ questions. Information about the incident can be found on the School of Medicine website.
To help prevent such incidents in the future, the School of Medicine is reinforcing education with staff and faculty of existing protocols and university resources regarding “phishing” emails. It is also reviewing enhancements to strengthen its business practices and user login authentication process.