A third party may have gained unauthorized access to patient information — including names, birth dates and social security numbers — after a phishing attack at Washington University's medical school.
A post on the Washington University School of Medicine website said an employee fell for a phishing email designed to look like an official request for information. After learning of the incident, the school secured emails and began an investigation.
The post said they "could not rule out" unauthorized access to some employees' email accounts. Emails from those accounts contained patient information, which the post said may have included names, birth dates, medical record numbers, diagnosis and treatment information and Social Security Numbers, but did not affect all patients.
The university said it has "no indication" that the information had been misused, but began sending letters to affected patients Friday.
The medical school also alerted law enforcement and is cooperating with their investigation.