An email scam directed towards Saint Louis University employees compromised private information to an unknown user, including the personal health information of about 3,000 people.
A subset of SLU employees received an email in late July asking them to disclose their log-in and password information on a phony website posing as SLU’s log-in portal. 40 SLU employees responded to the email, and 20 email accounts were accessed by the unknown user.
Chief Information Officer David Hakanson said that while the unknown scammer gained access to personal information, there are no reports of the information being used.
“There is no evidence that shows any financial impact or impact to patients whose health information was contained in those email accounts,” Hakanson said.
The unknown user gained access to:
- Private health information of 3,000 people. The 3,000 patients were either seen by a SLU care physician or at a partner facility with relations to SLU. There is no evidence to show that the patients’ health information was accessed by the scammer, and the University’s Electronic Health Record system was not accessed by the unknown party. Each individual impacted is being notified of the security breach.
- 200 Social Security numbers. 200 of the 3,000 records included Social Security numbers. When notified of the security breach, individuals will also be notified that their Social Security number was included in the compromised information.
- 20 SLU email accounts. Once the security breach was discovered on Aug. 8, SLU officials worked with impacted individuals to secure their accounts.
- Direct deposit information of 10 employees was changed. While the direct deposit information was changed in 10 of the 20 breached accounts, no unauthorized transactions were made.
To prevent future security breaches, SLU is conducting a comprehensive review of Information Technology security practices and providing training to help employees identify email scams.
Each individual affected by the incident will receive free credit monitoring and identity theft protection for one year, provided by SLU.
Follow Kate Essig on Twitter: @kateessig