ATLANTA — Patients of another metro Atlanta healthcare provider found out this week that their personal medical information was stolen by hackers.
This time, the target was the Atlanta Women’s Health Group.
The group just notified more than 30,000 patients about a data breach which occurred in April, 2023—the hackers stealing confidential medical records of some of the patients.
And it turns out that 2023 was a record-breaking year for cybersecurity attacks on healthcare providers and their patients, nationwide.
The hackers mine for personal healthcare information that they can steal, said Terry Ray, a healthcare data security expert. And, Ray said, they are striking gold.
“And they sell the records off,” Ray said Wednesday. “They say, 'Here's some current records about people who live in Atlanta... That’s pretty good stuff, that's pretty valuable.'”
Ray, with Imperva, a Thales company, said that what happened to patients of the Atlanta Women’s Health Group is increasingly routine in the healthcare industry.
The patients of Atlanta Women's Health Group were notified by the President and CEO, Dr. Genevieve Fairbrother, that this past April, hackers were able to steal patients’ protected health information, including their medical history, diagnosis, and treatment plans.
Dr. Fairbrother downplayed the extent of the breach, and she described the increased cybersecurity measures she’s put in place.
A new report in The HIPPA Journal, published Wednesday, said that “2023 was the worst year ever for breached healthcare records” in the U.S., with more than 133 million breached medical records nationwide.
Every one of the unsecured records could be a potential HIPAA violation.
The medical providers are required to report the cybersecurity breaches to HHS, and they can be held liable for inadequate cybersecurity that didn't stop the hackers.
HHS is investigating, for example, dozens of hacked metro Atlanta healthcare providers, who now face possible fines for the potential harm to their patients’ privacy.
“It could be a medication that somebody sought after because something that they've had in the past that they don't disclose to an employer,” Ray said. “It could be somebody who's on some kind of a drug addiction drug, for example, that maybe they didn't expose to an employer.”
Ray said it is understandable why healthcare providers often wait before notifying their patients about a data breach.
“I’m a user of health care, so I would like to know immediately. The sooner that I can do something about it, the better,” he said. “But before they make that announcement out to everybody, they need to make sure the door has been closed, the windows are locked. You want to make sure it's not going to happen again.”
The hackers, Ray said, then move on to find unsecured medical records kept by other health care providers, and mine for more gold.
In the notice to patients of Atlanta Women's Health Group (AWHG) on Tuesday, Dr. Fairbrother wrote, in part:
“...while the unauthorized user accessed certain files containing personal information of a subset of AWHG patients, AWHGs electronic health record (EHR) systems remained secure and were not exposed in the breach. There is no evidence that any of the accessed information has been improperly used and AWHG has secured evidence that the unauthorized user permanently deleted all compromised data....
“AWHG and our third-party forensic cybersecurity firm has conducted a thorough review and determined that the files that were accessed held documents containing protected health information that may have included demographic information like names, dates of birth, addresses, phone numbers, and patient account numbers; clinical information such as medical history, diagnosis, and treatment plans; and health insurance information, including insurance plans, id numbers, and claims information. Again, after extensive investigation, we do NOT believe any of our patients’ information has been misused, but we are notifying you in an abundance of caution.”
Here is the full statement that Atlanta Women’s Health Group emailed to 11Alive:
"On April 12, 2023, Atlanta Women’s Health Group (“AWHG”) identified anomalous activity on its computer system. AWHG immediately took steps to isolate its networks and fully contain the incident.
"AWHG, with the assistance of cybersecurity experts, proactively isolated the exposure and launched an investigation into the nature and scope of the incident. The forensic investigation was robust and ultimately determined that the unauthorized user accessed certain patient information.
"After AWHG confirmed that patient information was accessed, it launched an extensive and thorough data mining effort to identify potentially affected individuals.
"Although there is no evidence that any patient information has been improperly used, AWHG will be notifying the individuals whose personal information was involved in the incident.
"For most patients, this protected health information consists of patient name, date of birth, patient ID number, and other information that may be contained in medical records. AWHG has no evidence that this information was actually access or acquired by the unauthorized user, but is providing notice in an abundance of caution.
"AWHG values the privacy of all its patients, and we deeply regret that this incident occurred. Since the incident, AWHG has worked extensively with outside security consultants to implement additional cybersecurity measures to prevent a recurrence of such an attack and to continue protecting the privacy of our valued patients.
"We appreciate our patients for entrusting us with their care and rest assured that we remain committed to that care and to handling this unfortunate situation to the best of our ability. We have also reported this incident to the U.S. Department of Health and Human Services and the Federal Bureau of Investigation.
"Again, while AWHG is unaware of any actual or attempted misuse of protected health information as a result of this incident, AWGH nevertheless encourages individuals to review credit reports, health account statements, health insurance account records and explanations of benefit forms for suspicious activity and report all suspicious activity to the institute that issued the record immediately."