GA Provider Sends Notice of Healthcare Data Breach to 9,800 Patients

August 25, 2021 - Atlanta Allergy & Asthma (AAA) began notifying 9,800 patients of a healthcare data breach that resulted in protected health information (PHI) being removed from the provider’s network in January. 

AAA identified suspicious activity on its network between January 5 and January 13, 2021. After a thorough investigation, the provider discovered in July that PHI was removed from its network.

The removed information included full names, birthdates, Social Security numbers, diagnoses, treatment information and costs, provider names, financial account numbers, treatment location, dates of service, and patient health insurance information.

AAA began notifying its patients on August 20.

“To date, AAA is not aware of any reports of identity fraud or improper use of any information as a direct result of this incident,” the announcement stated.

The announcement suggested that impacted individuals should enroll in complimentary credit monitoring services, place a fraud alert on their credit files, and remain vigilant of suspicious activity.

“AAA is committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it” the announcement continued.

“AAA continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information.”

AAA is the largest allergy group in the region, with 17 locations across Atlanta, GA.

Data breaches like this one are becoming practically daily occurrences in the healthcare sector and can impact patient care coordination and safety. The industry saw a sharp increase in healthcare data breaches during COVID-19.

A recent cyberattack on Memorial Health System, which has locations in West Virginia and Ohio, resulted in appointment cancellations and emergency department diversions in mid-August. The cyberattack also disrupted clinical and financial operations across the health system.

Another attack on University Medical Center (UMC) in Las Vegas exposed the PHI of patients and staff members in mid-June. The incident did not disrupt patient care.

Cyber threats are becoming so frequent that HHS issued a joint cybersecurity advisory in late 2020. But many health systems are still unprepared for cyberattacks. A recent survey revealed that cybersecurity investments were not a high priority for many hospital IT teams, and most hospitals are unprotected against some of the most common vulnerabilities.

Health systems can patch computers, educate employees, and enable two-factor authentication, but the onus is not all on the hospitals themselves. The federal government has taken notice of the increasing frequency of cyberattacks. President Biden signed an executive order earlier this year that aims to tighten the nation’s cybersecurity infrastructure and ensure supply chain security.

A study conducted in June by the Government Accountability Office (GAO) found a significant lack of defined roles and responsibilities within HHS’ security departments, which may have resulted in inadequate cybersecurity efforts.

The report found that HHS fell short in following industry best practices and collaboration with colleagues.

“This lack of sharing is due, in part, to HHS not describing coordination between the two entities in procedures defining their responsibilities for cybersecurity information sharing,” the GAO study explained.

“Until HHS formalizes coordination for the two entities, they will continue to miss an opportunity to strengthen information sharing with sector partners.”