7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack
Georgia Spine and Orthopaedics of Atlanta (GSOA) is notifying thousands of patients that some of their protected health information has been exposed, and potentially stolen, as a result of a phishing attack.
An investigation into the data breach revealed an unauthorized individual gained access to an email account as a result of the employee responding to a phishing email. That response allowed the attacker to obtain the employee’s email account password.
Third-party computer forensics experts were contracted to conduct a detailed investigation into the attack to determine the extent of the breach and find out which patients had been affected. The investigation confirmed that a single email account had been compromised on July 11, 2018. An evaluation of GSOA’s technology systems was also conducted to ensure that they were secure.
In order to determine which patients had been affected, a painstaking manual analysis of all emails in the compromised account was performed to determine which messages had been accessed by the attacker.
GSOA reports that the way the email account was accessed would have allowed the attacker to view and save a desk copy of emails. GSOA said that if a copy of the data was obtained it was “likely unintentional,” but it is probable that a copy of the emails was retained by the attacker.
The manual review of emails in the account revealed they contained patients’ names and personal and medical information typically saved in medical records, although only a small number of the compromised emails contained patients’ Social Security and driver’s license numbers.
All patients whose protected health information was exposed/stolen have now been notified by mail. The breach report on the Department of Health and Human Services’ Office for Civil Rights website shows 7,012 patients have been affected by the breach.