Gore Medical Management Alerted to 2017 Breach of 79,100 Patients’ PHI

A historic data breach which impacted the protected health information (PHI) of 79,100 clients Gore Medical Management, a medical practice firm located in Griffin, GA, has been discovered. The breach happened during in 2017 and impacts clients of Family Medical Center in Thomaston, which an entity within the Upson Regional Medical Center group.

During November 2020, Gore Medical Management was made aware by the Federal Bureau of Investigation that a third-party computer had been retrieved as part of an investigation which contained the PHI of Family Medical Center patients.

The breach investigation found that the flaw targeted by the hacker to obtain access to the Family Medical Center network had been spotted and addressed a few months after the breach, although the breach itself was not noticed at the time. The medical record system was not impacted, but files holding names, addresses, dates of birth, and Social Security numbers were stolen. No financial data or healthcare records were included.

There does not seem to have been additional access to its systems or any other transfers of data since 2017. Gore Medical Management has now made contact with all impacted patients and has given them the chance to avail of a one-year membership to an identity theft protection and credit monitoring service.

Elsewhere, Pennsylvania Adult & Teen Challenge, a Rehrersburg, PA-based addiction treatment center that provides programs for adults and young people, has found that an unauthorized person obtained access to employee email accounts that included the protected health information of 7,771 people.

Suspicious actions were detected in an email account on July 29, 2020 and measures were taken to stop additional access and review the breach. The review found that certain email accounts had been logged onto by an unauthorized person between July 27, 2020 and July 30, 2020.

A forensic review was completed, and the impacted accounts were reviewed to determine the data that may have been obtained by the hacker. That process was finished on December 29, 2020.

The range of information in the accounts was different from person to person and may have include names along with one or more of the following data elements: Social Security Number, driver’s license details, financial account data, payment card information, birth dates, prescription information, specific diagnoses, treatment information, treatment clinic, health insurance information, medical information, Medicare/Medicaid ID number, employer identification number, electronic signature, username and log on details.

It was not possible to deduce if information in the email accounts was stolen, but no reports have been submitted so far to suggest any patient information has been improperly used. Notification letters have recently been shared with impacted individuals and free identity theft protection services have been provided.