Share this article on:
Vascular Surgical Associates – A group of specialty-trained vascular surgeons in Atlanta – has announced that it has been the victim of a hacking incident that has potentially resulted in certain protected health information being viewed by unauthorized individuals.
IT staff noticed unusual activity on one of the company’s servers on or around September 13, 2016. An investigation into the anomaly was launched, which revealed the server had been improperly accessed using login credentials supplied to some of the group’s vendors. Access to patient data was first gained on March 25, 2016 when a software application upgrade was performed.
The investigation did not confirm whether patient health information had been obtained by the hackers, although for more than five months it would have been possible for the login credentials to have been used to view patient data. As soon as IT staff determined the server had been compromised access was immediately terminated. The server is now secure and Vascular Surgical Associates is confident that no further unauthorized access is possible.
It would not have been possible for the intruders to view Social Security numbers or financial data, as that information was stored elsewhere on a part of the network that was not compromised. However, names, addresses, birth dates, demographic data, and medical records were all potentially viewed.
The investigation did not confirm the identity of the hackers, although evidence was uncovered to suggest the attackers were based in other countries. The login credentials used to gain access to the server were only used by vendors and their staff members. Vascular Surgical Associates is confident that none of its staff members were involved in the breach.
Vascular Surgical Associates has reported to the incident to the appropriate federal and state authorities and investigations will be launched by the FBI and Department of Health and Human Services’ Office for Civil Rights. At present, no announcement has been made about the number of patients that have been impacted by the incident. Affected individuals will be notified of the security breach by mail.