Hacker goes through a business associate to attack a clinic

Substantial personal health information at risk, patients told to check credit reports

Athens (Ga.) Orthopedic Clinic is notifying an unspecified number of patients following a cyber attack on its electronic health records system that used the log-in credentials of an outside vendor who has since been terminated.

The breach occurred in mid-June, and the practice learned of the intrusion on June 27. While not confirmed in this case, many victims of cyber attacks don’t know they have been victimized until law enforcement agencies investigating another incident identify additional providers who have been attacked.

The practice has 66 clinicians, including physicians, physician assistants, physical therapists, athletic trainers and occupational/hand therapists, and operates out of multiple locations in northeast Georgia.

Protected health information at risk includes patient names, addresses, Social Security numbers, dates of birth, telephone numbers, account numbers and, in some cases, diagnoses and partial medical histories, according to a notification letter sent to patients.

The clinic is not currently offering protective services, but it’s advising affected individuals to place fraud alerts on their credit reports with Equifax, Experian and TransUnion and to check credit reports for signs of fraud. An outside spokesperson for the clinic was unavailable to discuss the reasons for not offering protective services.

“To further protect against future breaches, we have retained cyber security experts to investigate and make recommendations for additional improvements to our system, and have begun implementing these recommendations,” the practice states in the notification letter.

The incident is not yet posted to the HHS Office for Civil Rights’ web site of breaches affecting more than 500 individuals.

More for you

Loading data for hdm_tax_topic #clinician-experience...