Vascular Surgical Associates, with eight locations in the Atlanta metropolitan area, in mid-September learned it had a server hacked, and that hackers had access to the server since about March 25. The organization recently began informing about 36,500 patients of the incident.

The investigation found the server was accessed via a compromised vendor password during a software upgrade. Internet addresses in Ghana, China, Russia and other nations were used in the attack.

“Although our investigation was not able to definitively conclude whether the hackers actually accessed or obtained a particular individual’s information, it would have been possible for the hackers to access and obtain patient information about many of our current and former patients, including medical records and demographic information, such as date of birth and address,” according to a letter sent to patients. “No Social Security numbers or financial data was stored on the compromised server.”

Also See: 5 things you should do when your organization’s data is hacked

The practice’s letter says it does not believe patients are in danger of identity theft, but it recommends that they monitor financial accounts for five years.

“The timeframe of five years is recommended by the FBI because professional criminals of this nature know that most companies that suffer a breach provide one or two years of credit monitoring, and such criminals now hold any information they steal until well after the one- or two-year time period ends. Because the data set available to perpetrators was limited, our experts tell us that the risk of identity theft is low; however, that does not mean that you should not be vigilant.”

The practice, which is not offering identity or credit monitoring services, further recommends that patients contact their bank to see what types of monitoring services they provide. “Many banks provide customers online account access and the ability to set up alerts for account activity.”

Executives of Vascular Surgical Associates did not respond to a request for additional comment.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access