PHI of 7,000 Georgia Spine and Orthopaedics of Atlanta Patients Exposed Due to Phishing Attack

Georgia Spine and Orthopaedics of Atlanta (GSOA) is notifying certain patients about the potential theft of some of their protected health information (PHI).

GSOA discovered an employee had responded to a phishing email which gave the attacker access to the the employee’s email credentials. Third-party computer forensics specialists were contracted to conduct a comprehensive investigation of the incident to find out the scope of the breach and the patients affected by the incident. The investigation confirmed that only one email account was breached and that access to the account was gained on July 11, 2018.

Determining which patients had had their PHI exposed required a meticulous manual analysis of all email messages in the compromised email account and which messages had been opened by the attacker.

GSOA reported that access to the email account would have enabled the attacker to see and save a copy of the email messages. Getting a copy of the data was “likely unintentional,” nevertheless, it is probable that a copy of the email messages has been retained by the attacker.

The manual review of the email messages showed names, personal information, and healthcare data associated with medical records were present in emails in the compromised account. Some of the compromised emails also included driver’s license numbers and Social Security numbers of patients.

GSOA has notified patients whose PHI was compromised and the Department of Health and Human Services’ Office for Civil Rights has been informed. The OCR website shows the breach affected 7,012 patients.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

GSOA has since taken steps to improve security to prevent further phishing attacks in the future.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: