PHI of 9,800 Patients of Atlanta Allergy & Asthma Exposed in Cyberattack

Atlanta Allergy & Asthma has started notifying 9,851 patients about a January 2021 cyberattack in which their protected health information was exposed and potentially compromised. Atlanta Allergy & Asthma said its investigation into the breach determined hackers had access to its network between January 5 and January 13, 2021. Upon discovery of the breach, steps were immediately taken to kick the unauthorized individuals out of its network and mitigate against any potential harm.

Atlanta Allergy & Asthma engaged third party cybersecurity professionals to determine the nature and scope of the breach, with the investigation confirming the attackers had access to parts of the network where documentation was stored that included protected health information.

A comprehensive review was conducted of those documents. Atlanta Allergy & Asthma said it was confirmed on July 8, 2021 that the following types of information had potentially been compromised: Names, dates of birth, Social Security numbers, financial account numbers and/or routing numbers, diagnoses, treatment information and costs, procedure types, provider names, treatment location, dates of service, patient account numbers and/or health insurance information.

Atlanta Allergy & Asthma said it is not aware of any attempted or actual misuse of patient data as a result of the breach. Starting on August 20, 2021, letters were sent to affected individuals to alert them to the exposure of their patient data to allow them to take steps to protect against identity theft and fraud, including availing of the credit monitoring and identity protection services that are being offered free of charge to affected patients.

Atlanta Allergy & Asthma said it continuously evaluates its cybersecurity practices and internal controls and will be taking steps to enhance the security and privacy of patient data.

Atlanta Allergy & Asthma did not disclose the exact nature of the cyberattack in its breach notification letter; however, obtained evidence that this was a ransomware attack by the Nefilim ransomware threat group, and that sensitive data were stolen in the attack. Some of the stolen files contained patient information and 2GB of stolen data were dumped on the Nefilim data leak site in March 2021.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.