Alabama Cardiovascular Group Cyberattack Affects 280,500 Individuals
Alabama Cardiovascular Group, Gastrointestinal Medicine Associates & United Urology Group have recently reported data breaches involving the protected health information of at least 323,573 individuals. RansomHub claims to have stolen data from the Neurological Spine Institute of Savannah in Georgia.
Alabama Cardiovascular Group
Alabama Cardiovascular Group (ACG) has discovered unauthorized individuals accessed its computer network over the space of a month between June 6, 2024, and July 2, 2024, and during that time, exfiltrated files containing sensitive data. The intrusion was detected on July 2, 2024, and immediate steps were taken to prevent further unauthorized access to the network. The cyberattack has been reported to law enforcement and the HHS’ Office for Civil Rights (OCR). The OCR breach portal indicates up to 280,534 individuals have been affected, including current and former patients, guarantors, employees, and physicians. Those individuals have been notified by mail and offered 24 months of complimentary access to Experian’s IdentityWorks identity theft protection service.
The file review confirmed that the following types of data were involved: name, address, email address, phone number, date of birth, Social Security number, health insurance information, health insurance claims information, usernames/passwords, and medical information (such as dates of service, diagnoses, medications, images, lab results, and other treatment information). Some individuals may also have had their driver’s license number, passport number, credit card/debit card information, and bank account information if that information was provided to ACG. ACG said it has implemented additional measures to improve security and prevent similar incidents in the future.
Gastrointestinal Medicine Associates
Internal Medicine Associates, doing business as Gastrointestinal Medicine Associates in Rhode Island, has fallen victim to a cyberattack. Suspicious activity was detected within its network on April 15, 2024, and the subsequent investigation confirmed that an unauthorized third party had access to its network between April 5, 2024, and April 15, 2024. During that time, a limited amount of data was exfiltrated from its network.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The data review was completed on July 23, 2024, and confirmed that the protected health information of 31,835 patients had been exposed and potentially stolen in the attack. The types of information involved varied from individual to individual and may have included names, dates of birth, contact information, demographic information, medical information, health insurance information, and Social Security numbers. Data privacy and security policies and procedures are being reviewed and enhanced to prevent similar incidents in the future. Patients were notified about the breach on August 7, 2024.
United Urology Group
United Urology Group, a national network of urology specialists, has confirmed that it was the victim of a cyberattack in April 2024 that involved the protected health information of 10,704 patients. The website breach notice does not state when the cyberattack was detected; however, its investigation confirmed unauthorized access to its network between April 27, 2024, and May 6, 2024.
The investigation confirmed that files had been removed from its network, and the review of those files was completed on July 15, 2024. Those files contained patients’ full names in combination with one or more of the following: date of birth, Social Security number, driver’s license number/state identification number, financial account information, passport number, username/password associated with one or more online accounts, medical information, and health insurance policy information.
The affected individuals were notified on August 14, 2024, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were compromised. United Urology Group said it is unaware of any misuse of the affected data. As previously reported by The HIPAA Journal in late May 2024, the RansomHouse ransomware group claimed responsibility for the attack, and said data was encrypted on May 4, 2024.
Neurological Spine Institute of Savannah
Neurological Spine Institute of Savannah in Georgia is the apparent victim of a cyberattack by the RansomHub ransomware group. The healthcare provider has not publicly confirmed any cyberattack or data breach; however, the RansomHub group has added the Neurological Spine Institute of Savannah to its data leak site. RansomHub’s posting states that this attack did not involve file encryption. The group claims that files were not encrypted as “a goodwill gesture.” The group says it exfiltrated “hundreds of gigabytes of data” and is threatening to contact every affected patient to inform them about the theft of their data.
In April 2025, the Neurological Spine Institute of Savannah in Georgia confirmed the data breach and started issuing notification letters. You can read more about the data breach in this post.
