Local health care providers said they have taken note of a data breach at a clinic in Athens that exposed the private information and medical history of some 200,000 current and former patients.
“What’s so scary about this … every time you think you’ve figured it out, the hackers come up with a new way,” said Mimi Collins, CEO of The Longstreet Clinic in Gainesville.
Computer and online security has become more critical as electronic recordkeeping becomes the norm.
Identity theft affected more than 17 million Americans in 2014, according to federal statistics, costing about $15 billion in losses.
Credit card, bank and government documents and benefits fraud were among the most common forms of identity theft.
In a letter sent to patients recently, a copy of which was obtained by the Times, Athens Orthopedic Clinic CEO Kayo Elliott said the recent “cyber attack” occurred when the log-in credentials of a third-party vendor were used to access the clinic’s electronic health records system.
Names, addresses, Social Security numbers, dates of birth, contact information and medical histories and diagnoses were among the personal data compromised in the hack, which occurred June 14 and was discovered June 27.
The vendor, identified only as a health care information management contractor, has been terminated and investigators have been hired to make recommendations for improving security, Elliott said in the letter.
The clinic is urging patients to monitor their credit history for fraudulent activity, and it is reportedly working with the FBI after a ransom was allegedly made to keep patients’ information private.
It’s all too late, however, for Gainesville resident Tammy Hansen, who said the clinic’s delayed response and refusal to provide credit-monitoring coverage has angered affected patients.
“They have known of the breach since June,” she added. “I’m being informed in August. Their only recommendation is to get free credit reports to see what damages may have already occurred.”
Collins said an incident like this is a wake-up call for health care providers to vigilantly ensure patient privacy.
The Longstreet Clinic, for example, hires security experts to routinely perform internal audits of who has access to certain patient information and provide a “road map” for future protocols, Collins said.
And a team of management and practitioners regularly meet to address these issues and “do everything we can to protect records,” Collins said.
Sean Couch, public relations and marketing manager with the Northeast Georgia Health System, said information technology professionals are constantly updating internal systems to protect patients’ personal information.
“They also routinely test and proactively monitor those systems and protocols to find potential vulnerabilities and address them as quickly as possible,” he added.
For Hansen, the data breach at the Athens clinic leaves her guessing about how her personal information might be used and the potential consequences.
“I feel like I’m stuck and the damage is already done,” she said. “Someone may or may not have my personal info, and even if they don’t use it right away, it could only be a matter of time before it gets used in the future.”