Georgia Spine and Orthopaedics of Atlanta (GSOA) is informing a number o its patients concerning a phishing attack that caused the possible theft and exposure of some of their protected health information (PHI).
The investigation of the data breach showed that an unauthorized person got access to an email account after an employee of GSOA responded to a phishing email message. As a consequence, the attacker acquired the password of the email account of the employee.
Third-party computer forensics experts performed a thorough investigation of the data breach to determine its scope and the people it impacted. The investigation confirmed that the attacker only accessed a single email account on July 11, 2018. The investigators likewise inspected GSOA’s technology systems to make certain that they stay safe.
Identifying the patients affected by the breach took a painstaking manual evaluation of all messages contained in the attacked email account. They had to distinguish which messages were accessed by the attacker.
GSOA noted that the email account access would have allowed the attacker to view and duplicate the email messages. Obtaining a copy of the information may not be likely intention of the attacker, even so, it is probable that the attacker held on to a copy of the messages.
The manual examination of the email messages in the account showed that it contained patients’ names, personal and medical data kept as healthcare files in the account. Additionally, a number of the compromised emails had some patients’ driver’s license numbers and Social Security numbers.
GSOA had sent notification letters via mail to all patients affected by the PHI breach. The breach summary report posted on Department of Health and Human Services’ Office for Civil Rights website indicated that there were 7,012 patients affected.