Georgia Spine and Orthopaedics of Atlanta (GSOA) is notifying certain patients about the potential theft of some of their protected health information (PHI).
GSOA discovered an employee had responded to a phishing email which gave the attacker access to the the employee’s email credentials. Third-party computer forensics specialists were contracted to conduct a comprehensive investigation of the incident to find out the scope of the breach and the patients affected by the incident. The investigation confirmed that only one email account was breached and that access to the account was gained on July 11, 2018.
Determining which patients had had their PHI exposed required a meticulous manual analysis of all email messages in the compromised email account and which messages had been opened by the attacker.
GSOA reported that access to the email account would have enabled the attacker to see and save a copy of the email messages. Getting a copy of the data was “likely unintentional,” nevertheless, it is probable that a copy of the email messages has been retained by the attacker.
The manual review of the email messages showed names, personal information, and healthcare data associated with medical records were present in emails in the compromised account. Some of the compromised emails also included driver’s license numbers and Social Security numbers of patients.
GSOA has notified patients whose PHI was compromised and the Department of Health and Human Services’ Office for Civil Rights has been informed. The OCR website shows the breach affected 7,012 patients.
GSOA has since taken steps to improve security to prevent further phishing attacks in the future.