280,000 Individuals Affected by Alabama Cardiology Group Cyberattack

Alabama Cardiology Group (ACG) has notified the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) about a data breach involving the personal and protected health information of 280,534 current and former patients, physicians, guarantors, and employees.

ACG identified unauthorized access to a network server on July 2, 2024, and immediate action was taken to secure the server and prevent further access.ย Third-party cybersecurity experts were engaged to conduct a forensic investigation which confirmed that an unauthorized third party first accessed its network on June 6, 2024, almost a month before the intrusion was detected. During that month, the threat actor had access to files containing personal information.

The exposed information varied from individual to individual and may have included names, Social Security numbers, health insurance information, claims information, usernames/passwords, and financial information, including bank account and/or payment card numbers. Patients affected by the breach had medical information exposed, which may have included dates of service, diagnoses, medical images, medications, lab test results, and treatment information.

Alabama Cardiology Group said it reset all passwords and implemented further security measures to prevent similar incidents in the future, which suggests that compromised credentials may have been used for initial access. The notification letter does not state whether data exfiltration was confirmed or if this was an extortion attempt.

The incident was reported to law enforcement and the affected individuals were notified about the breach on August 2, 2024. Complementary identity theft protection services have been offered to the affected individuals for 24 months, regardless of the types of data exposed in the incident.

This is the first 500+ record data breach to be reported to OCR by Alabama Cardiology Group, the 12th breach to be reported by an Alabama-based HIPAA-regulated entity in 2024, and the largest data breach at an Alabama-based HIPAA-regulated entity so far this year.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/