Several of Madison County BOC chairman Anthony Dove’s family members recently received a letter from Athens Orthopedic Clinic informing them of a “data breach” of patient electronic medical records at their practice. It seems those letters were just the tip of a very big iceberg that is potentially affecting the protected health information of people all over the area – including many in Madison County.
The breach, according to the form letter reportedly sent out to more than 200,000 current and former patients, informed recipients that “we regret to inform you that our practice has discovered an apparent breach of your personal health information. This breach occurred on June 14, 2016 and we became aware on June 27 that a potential breach had occurred that was confirmed several days later.”
The letter goes on to say that the breach occurred by way of a “cyber-attack” when the login credentials of an outside vendor were used to access their electronic record system. The Clinic also stated that this vendor had been terminated.
Most of these letters were not received until last week — more than a month after the breach was discovered.
Chairman Dove said he is particularly worried since reading in various other news sources that the information may have been sold to an “underground organization calling itself the ‘Dark Overlords,’ that has already advertised the stolen records for sale on the the black market. He said his family members followed the letters instructions to contact one of the three credit bureaus and place a fraud alert on their credit reports.
The Clinic also said in the letter that they had retained the services of cyber security experts to “make recommendations for additional improvements to our system, and have begun implementing these recommendations.”
They will not, however offer free credit monitoring for their clients stating financial constraints, but instead provided clients with phone numbers and contacts for the Equifax, Experian and Transunion, the three major credit reporting bureaus.
Elaine Brown, of Danielsville, also got a letter.
“I wasn’t surprised when I got the letter as I had seen the information on the Internet,” Brown said. “The only thing I can say is I am upset as to why a practice that large didn’t have themselves covered with better protection. I also thought that (since) we have to give all our personal information to all these places, how well are we protected? Especially since most of the things with our information has been outsourced to other countries.”
Colbert resident Melanie Hughston said both she and her husband got letters from Athens Orthopedic.
“It was upsetting, of course, but not shocking,” she said. “We have always monitored our credit reports as we are big believers in personal responsibility and have very little faith in computers. As retired federal employees, we were also breached by the Chinese hackers as well. We depend too much on technology and it’s my belief we need to be more in charge of our own lives.”
In a similar vein, she said she notices that now everyone wants to email receipts instead of printing them, or to do paperless billing instead of mailing out a bill for services.
“It’s (the problem) two fold,” she said. “It sets up situations for easy breeching and it also limits those who are low income or older without computers and/or skills. It reaches farther than a simple breech.”
Hughston said she feels the company should be held responsible.
“As a business, they were entrusted with our information,” Hughston said. “We had no choice in the matter. Their attitude of ‘our business is more important than your security’ is ridiculous. As to them providing some type of monitoring, I do think they should. Our medical information is very protected. That to me is the worst violation of all.”
Athens Orthopedic posted the following on their Facebook page, shortly after making the breach public on their website, but before individual letters were mailed:
“We appreciate the worry and uncertainty that yesterday’s announcement about our data breach of patient electronic medical records caused you, and we ask for your understanding that the data breach is an uncomfortable and unfortunate situation for us also. There is a letter being printed that will begin being mailed this week with similar details that are already found on our website and on our toll-free line at 844-382-9364. If you have not heard about the data breach before this post, we ask that you go to our website at http://athensorthopedicclinic.com/important-news-for-patie…/ for instructions on how to set up fraud alerts for yourself and your children who may be patients of our practice.”
Ashley Fitzpatrick, of Danielsville, whose family also received the letter, said she has a credit monitoring service, which gives her a sense of security against such breaches. She said the company she uses costs about $270 per year for their service and she highly recommends it.
And as to be expected, law firms are also taking notice.
Pennsylvania based Class Action Data Breach Attorneys Goldman Scarlato & Penny announced that they are investigating a possible claim on behalf of all persons whose private information was compromised as a result of a data breach at Athens Orthopedic Clinic.
The following notice was posted on Facebook:
“On July 25, 2016, the Georgia-based clinic announced that its electronic database was breached ‘when a hacker used the credentials of an outside contractor who performed certain services for the Clinic.’ The personal records of 397,000 patients were stolen. Athens stated, ‘Personal information of our current and former patients has been breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history.’ News articles show that Athens first learned of the breach in June, about one month before it made the announcement.”
The law firm also stated that “recent news reports indicate that an underground organization calling itself the ‘Dark Overlords’ has already advertised that stolen records from this breach are for sale on the black market.”
The law firm goes on to say the the Clinic manages at least “11 locations throughout Georgia,” including ones in Commerce, Covington, Jefferson and Royston, to name a few.
The law firm urges letter recipients to be concerned about identity theft and says such information can be used to file false tax returns, make fraudulent claims for health care coverage, open credit accounts in the name of the victim, and more.
The firm goes on to urge those who received the letter to contact them for possible class action lawsuit.