Athens Orthopedic Clinic Breach: No Money to Pay for Identity Theft Protection Services
On June 14, a hacker operating under the name The Dark Overlord hacked an Athens Orthopedic Clinic database containing the records of 201,000 patients. The attack was performed via a third party vendor that was used by the clinic.
Patient data were stolen and the hacker attempted to extort money from the clinic. A threat was issued saying the data would be sold if a payment was not made. When the clinic refused to pay, the data were listed for sale on darknet marketplace TheRealDeal. The data included patient names, dates of birth, addresses, telephone numbers, account numbers, Social Security numbers, and potentially diagnoses and medical histories.
While healthcare cyberattacks usually result in patients being offered a minimum of 12 months credit monitoring and identity theft protection services to mitigate risk, Athens Orthopedic Clinic has confirmed that its patients will not be offered these services.
A spokesperson for Athens Orthopedic Clinic issued a statement to the Athens Banner-Herald explaining that the clinic cannot afford to pay for extended credit monitoring services for 200,000 individuals. The cost of providing those services would be “many millions of dollars,” and there simply isn’t the money available.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Kayo Elliott, CEO of Athens Orthopedic Clinic said “We are not able spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business.” Elliot apologized to patients affected by the breach, saying “I recognize and am truly sorry for the position this puts our patients in.”
AOC trauma surgeon Chip Ogburn, MD also told the Athens Banner-Herald “I assure you that every single physician is incredibly distraught with this violation of our responsibility to you and the relationships that we have built.”
Action has been taken to reduce the risk of future breaches and the contract with the “healthcare information management contractor” has now been terminated. Patients have been instructed to contact credit reference agencies to place fraud alerts on their files and to obtain credit reports to monitor for fraud.
The breach has already cost the clinic a considerable amount of money. 201,000 breach notification letters have been mailed to affected patients, an external cybersecurity firm was brought in to investigate the breach, and steps have been taken to improve cybersecurity defenses to prevent future cyberattacks. However, those are not the only costs that will need to be covered. At least two law firms have issued news releases requesting breach victims get in touch to get their names added to class action lawsuits.
