A phishing attack on Georgia Spine and Orthopedics of Atlanta potentially compromised the personal health information of over 7,000 patients. According to officials, an unauthorized user hacked into an email account, after an employee opened up a phishing email. The hacker used the attack to steal the employee’s email account password. Upon discovery, access to the account was terminated and officials hired a forensics team to investigate.
Due to the email account configuration, a copy of certain emails was potentially saved onto the hacker’s computer. Officials said that while the download was likely unintentional, “we had to assume that the third party retained a copy of that data.”
“We searched the emails to determine whether sensitive data was located within any of the emails that were potentially saved. Individual emails were then hand reviewed to obtain names and mailing addresses,” officials explained.
The investigators determined the emails contained patient names and other data typically contained in a medical record. For a small number of patients, Social Security numbers and driver’s license numbers were breached. According to the Department of Health and Human Services’ Office for Civil Rights (OCR), all patients whose protected health information was obtained/stolen have now been alerted by mail.
How can you avoid the same situation in your medical practice? Contact HIPAAcraticRx to easily and effectively train your staff. We provide ongoing HIPAA compliance for independent medical practices to help give you peace of mind.