This week Saint Louis University is sending out notification letters regarding a data security incident that may have involved the protected health information of approximately 3,000 people.
On Aug. 8, the University discovered that some SLU employees provided their account information in response to a sophisticated phishing email scam they received on July 25. The University immediately launched a full-scale investigation, notifying the employees and securing their SLU accounts. While about 10 employees had direct deposit information changed, no unauthorized financial transactions occurred. The University also notified law enforcement officials.
As the scope of the investigation expanded, the University learned that the phishing scam also resulted in unauthorized access to about 20 SLU email accounts that contained the personal health information of approximately 3,000 people. It is important to note that the University's Electronic Health Record system was not accessed by the unknown party.
These email accounts also contained approximately 200 Social Security numbers. Some of the individuals whose information was included in the emails were patients treated or reviewed by a SLU physician at a partner facility, and the University is working with those organizations in its response efforts.
At this time, all evidence suggests that the main target of this scam was the financial information of University employees who received the phishing email. A number of colleges and universities have been targeted with similar schemes in recent months.
While there is no evidence to suggest that the unknown party accessed any of the information in the emails, out of an abundance of caution, SLU is providing individuals with information affected by the incident with one year of free continuous credit monitoring and identity theft protection and restoration. Instructions for signing up for these free services are enclosed in the notification letters.
The University also has released a toll-free telephone number, 1-877-309-9839, and launched a website to provide more information about the incident and to answer questions from those who are being notified.
To review how to spot a phishing email, visit the Information Technology Services website. ITS is also reminding employees that will never ask users to confirm account information or to provide their passwords via email.