280,000 Individuals Affected by Alabama Cardiology Group Cyberattack
Alabama Cardiology Group (ACG) has notified the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) about a data breach involving the personal and protected health information of 280,534 current and former patients, physicians, guarantors, and employees.
ACG identified unauthorized access to a network server on July 2, 2024, and immediate action was taken to secure the server and prevent further access.ย Third-party cybersecurity experts were engaged to conduct a forensic investigation which confirmed that an unauthorized third party first accessed its network on June 6, 2024, almost a month before the intrusion was detected. During that month, the threat actor had access to files containing personal information.
The exposed information varied from individual to individual and may have included names, Social Security numbers, health insurance information, claims information, usernames/passwords, and financial information, including bank account and/or payment card numbers. Patients affected by the breach had medical information exposed, which may have included dates of service, diagnoses, medical images, medications, lab test results, and treatment information.
Alabama Cardiology Group said it reset all passwords and implemented further security measures to prevent similar incidents in the future, which suggests that compromised credentials may have been used for initial access. The notification letter does not state whether data exfiltration was confirmed or if this was an extortion attempt.
The incident was reported to law enforcement and the affected individuals were notified about the breach on August 2, 2024. Complementary identity theft protection services have been offered to the affected individuals for 24 months, regardless of the types of data exposed in the incident.
This is the first 500+ record data breach to be reported to OCR by Alabama Cardiology Group, the 12th breach to be reported by an Alabama-based HIPAA-regulated entity in 2024, and the largest data breach at an Alabama-based HIPAA-regulated entity so far this year.