Phishing email fools Missouri university staff, compromises thousands

Share this article:

Employees of Missouri-based Saint Louis University fell victim to a phishing email that resulted in them providing account information, subsequently putting thousands at risk.

How many victims? More than 3,200 individuals were impacted.

What type of personal information? Names, Social Security numbers, direct deposit information and personal health information, including diagnoses, procedures and medical chart information.

What happened? Saint Louis University employees fell victim to a phishing scam and provided account information, which the attackers then used to gain unauthorized access to direct deposit information for staffers and personal health information for patients treated at the university's hospital.

What was the response? Saint Louis University notified law enforcement and hired a risk mitigation and response services provider. Affected individuals are being notified by mail and are being offered a free year of credit monitoring and identity theft protection services.

Details: Saint Louis University learned on Aug. 8 that some employees had responded to the phishing email on July 25. Although no unauthorized financial transactions have been reported so far, there were about 10 staffers who had direct deposit information changed. Attackers gained access to roughly 20 employee email accounts that contained personal health information on approximately 3,000 patients treated at the university's hospital. The email accounts also contained names and Social Security numbers for about 200 other people. Letters were sent to affected individuals beginning Oct. 7.

Quote: “It appears that the main target of this scam was the direct deposit information of these employees,” according to the notification posted on the Saint Louis University website. “At this time, there is no evidence to suggest that the unknown party accessed any of the personal information in the emails.”

Source: slu.edu, “Notice for Saint Louis University Patients Regarding Privacy Incident,” Oct. 7, 2013.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US

More in The Data Breach Blog

Malware on Breyer Horses website for about 18 months, payment card data ...

Malware installed on the computer server hosting the Breyer Horses website may have compromised personal information for people who made purchases between March 31, 2013 and Oct. 6.

Transcript website flaw exposed personal data on 98k users

NeedMyTranscripts.com expose users' names, addresses and dates of birth, among other information, due to a site flaw that one user discovered.

Sourcebooks payment card breach impacts more than 5,000 customers

More than 5,000 customers had personal information stolen, but roughly 9,000 notification letters were sent out as a precautionary measure.