Hacking Incidents Reported by Georgia Urology and Millennium Home Health Care
Georgia Urology and Millennium Home Health Care have identified hacking incidents involving unauthorized access to patient data. Blue Shield of California has reported an incident involving the exposure of plan member information to other individuals on the same plan.
Georgia Urology
Georgia Urology, the largest urology practice in Atlanta and the Southeastern United States, has recently disclosed a data security incident that may have involved unauthorized access to the personal and protected health information of 12,398 patients. Suspicious activity was identified in two employee email accounts on or around October 25, 2024. The email accounts were immediately secured, and third-party cybersecurity experts were engaged to investigate the activity. Unauthorized access to the email accounts was confirmed, and the accounts were reviewed to determine the extent of data exposure. That process was completed on March 5, 2025.
Georgia Urology determined that the security incident was limited to the email accounts and that the emails and attachments in the accounts may have been viewed or acquired by an unauthorized third party. They contained information such as names, addresses, Social Security numbers, driver’s license numbers, treatment/diagnosis information, medical history information, dates of birth, COVID vaccination information, and health insurance information; however, no evidence has been found to indicate any abuse of the exposed information at the time of issuing notification letters.
The affected individuals were notified on March 27, 2025, and a toll-free helpline has been established for the affected individuals to find out more information about the incident. The helpline is manned from 8:00 a.m. to 8:00 p.m. Monday to Friday (1-833-998-7776).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Millennium Home Health Care
Millennium Home Health Care, a Tulsa, OK-based home healthcare agency, has discovered unauthorized access to two of its computer servers. The security breach was detected on January 20, 2025, prompting a forensic investigation to determine the extent of the unauthorized activity. The investigation confirmed there had been unauthorized access to two servers between January 16, 2025, and January 20, 2025, and that data was acquired.
Millennium Home Health Care said, “We ultimately were able to take the necessary steps to obtain assurances from the unauthorized third party that they had deleted all of the information that they acquired during the incident and had not further used or disclosed it.” The review of the affected servers confirmed they contained the protected health information of 4,743 individuals, including names, birth dates, addresses, phone numbers, Social Security numbers, and information about medical conditions and the care received.
Millennium Home Health Care said cybersecurity experts have reviewed and scanned its IT environment and confirmed that its systems are secure, and additional security measures have been implemented to better protect against incidents of this nature in the future. While no evidence of data misuse has been detected, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and cyber monitoring services.
Blue Shield of California
Blue Shield of California has recently notified the California Attorney General about potential unauthorized access to members’ electronic medical records. On November 8, 2024, a health information exchange identified a data mismatch error, which may have allowed a plan member’s health records to be viewed by family members on the same plan.
The issue was caused by Blue Shield providing the health information exchange with a single subscriber ID on a plan that included multiple names. While that meant it was possible that family members on the same plan could have viewed the medical information of the plan holder via the Member Health Record feature of the Blue Shield Member portal. The notification letters were issued to the 535 potentially affected individuals out of an abundance of caution. Blue Shield of California was unable to determine whether the plan holder’s information was viewed by any family members.
The information potentially viewed was limited to medical visit type, dates of service, provider and pharmacy demographics, treating facility’s name, and medication information. No demographic information could be viewed that would have specifically identified the user as the individual who received treatment. Blue Shield of California said the data feed with the health information exchange was terminated on November 11, 2024.
