Gore Medical Management Alerted to 2017 Breach of 79,100 Patients’ PHI

Gore Medical Management, a medical practice company based in Griffin, GA, has discovered a historic data breach involving the protected health information (PHI) of 79,100 individuals. The breach occurred in 2017 and affects patients of Family Medical Center in Thomaston, which is now part of Upson Regional Medical Center.

In November 2020, Gore Medical Management was informed by the Federal Bureau of Investigation that a third-party computer had been recovered as part of an investigation which was found to contain the PHI of Family Medical Center patients.

The breach investigation confirmed that the vulnerability exploited by the hacker to gain access to the Family Medical Center network had been identified and corrected a few months after the breach, although the breach itself was not detected at the time. The medical record system was not compromised, but files containing names, addresses, dates of birth, and Social Security numbers were exfiltrated. No financial information or healthcare records were involved.

There does not appear to have been further access of its systems or any other transfers of data since 2017. Gore Medical Management has now notified all affected patients and has offered them a 12-month membership to an identity theft protection and credit monitoring service.

Pennsylvania Adult & Teen Challenge Discovers Compromised Email Accounts Containing PHI of 7,771 Individuals

Pennsylvania Adult & Teen Challenge, a Rehrersburg, PA-based provider of addiction treatment programs for adults and young people, has discovered an unauthorized individual gained access to employee email accounts that contained the protected health information of 7,771 individuals.

Suspicious activity was detected in an email account on July 29, 2020 and steps were taken to prevent further access and investigate the breach. The investigation confirmed that certain email accounts had been accessed by an unauthorized individual between July 27, 2020 and July 30, 2020.

A forensic investigation was conducted, and the compromised accounts were reviewed to determine the information potentially obtained by the attacker. That process was completed on December 29, 2020.

The types of information in the accounts varied from individual to individual and may have include names along with one or more of the following data elements: Social Security Number, driver’s license number, financial account information, payment card information, date of birth, prescription information, diagnosis information, treatment information, treatment provider, health insurance information, medical information, Medicare/Medicaid ID number, employer identification number, electronic signature, username and password.

It was not possible to determine if information in the email accounts was accessed or exfiltrated, but no reports have been received to date to indicate any patient information has been misused. Notification letters have recently been sent to affected individuals and complimentary identity theft protection services have been offered.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.