Patients of Athens Orthopedic Clinic are in the process of being notified that their protected health information has been obtained by a hacker. The Athens Orthopedic Clinic cyberattack was discovered late last month after a hacker going by the name The Dark Overlord put the healthcare records of a Georgia healthcare provider up for sale on the Darknet marketplace TheRealDeal.
However, initially it was unclear to whom the records belonged as the name of the healthcare provider was not disclosed. TDO reportedly sent a demand for payment to each of the healthcare organizations that were attacked.
The companies were told that they could pay to prevent the sale of their data and receive assistance correcting the security flaw that allowed their patients’ data to be accessed. No payment was made and the attacker made good on the promise and listed the data for sale.
A few days later it emerged that it was highly probably that one of the victims of the attacks was Athens Orthopedic Clinic. The clinic confirmed to Databreaches.net that it had received an extortion demand and that an investigation had been launched. However, the clinic did not confirm that it was the victim of a cyberattack, nor that its data had been listed for sale.
Yesterday, a HIPAA substitute breach notification about the Athens Orthopedic Clinic cyberattack was posted on the company website. The notice explained that patient data had been breached and that the attack was conducted on a third party software vendor. The data stolen in the attack included full names, home addresses, dates of birth, telephone numbers, and Social Security numbers. Some patients also had some of their medical diagnoses and medical histories compromised.
Athens Orthopedic Clinic did not confirm in the breach notice exactly how many individuals have been affected, and the Department of Health and Human Services’ Office for Civil Rights has yet to add details of the Athens Orthopedic Clinic cyberattack to its breach portal. However, Databreaches.net has reported that 397,000 patient records were stolen in the Athens Orthopedic Clinic cyberattack.
The breach notice advises patients to obtain copies of their credit reports and to check for any signs of fraudulent activity, although it does not appear that credit monitoring and identity theft protection services are being offered to patients to protect them from financial harm at this moment in time.
Further security controls are being considered to reduce the risk of further cyberattacks and an external security company has been brought in to make recommendations on additional security measures that should be deployed. The clinic has now confirmed that the contact information of patients is correct. HIPAA breach notification letters will start to be mailed today.