Healthcare , Incident & Breach Response , Industry Specific

Cardiology Practice: Hack Affected 281,000 Patients, Docs

Breach Spotlights the Cyber Woes Faced by Other Medical Specialty Entities
Cardiology Practice: Hack Affected 281,000 Patients, Docs
Alabama Cardiology Group, which is affiliated with Grandview Medical Center and maintains an office in its building, said 281,000 individuals were affected by a recent hack. (Image: ACG)

An Alabama cardiology practice is notifying nearly 281,000 current and past patients, physicians and employees that hackers stole their sensitive information.

See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience

Alabama Cardiology Group, which has about two dozen physicians and describes itself as a "relatively small" group practice, reported the breach to federal regulators on Aug. 2 as a hacking incident involving a network server.

"If you are a current or past patient of a physician at ACG, or a current or past guarantor, employee, or physician at ACG, your personal information may have been affected," ACG said in an online breach notice.

The practice said it became aware on July 2 that unauthorized parties accessed its computer network, leading to its network being severed from the internet. An investigation determined that between June 6 and July 2, threat actors gained obtained personal information. ACG said it notified law enforcement.

The information affected by the incident varies among individuals. It includes identifying information, Social Security numbers, health insurance information and claims, usernames and passwords. It could include financial information including payment card and bank account information.

Medical information potentially compromised includes dates of service, diagnoses, medications, images, lab results and other treatment information.

Details provided by Alabama Cardiology Group suggest that the practice was victimized through credential abuse, said Mike Hamilton, founder and CISO of security firm Critical Insight.

"Whether this was stuffing, brute-forcing, session-stripping or finding a password that was reused, it also seems indicative of a lack of multifactor authentication," he said.

The practice did not immediately respond to Information Security Media Group's request for comment.

A Rash of Breaches at Specialty Medical Practices

Data breach reporting to federal regulators shows a slew of incidents in recent months at specialty medical practices ranging from orthopedic to mental health.

Small practices typically don't have dedicated cybersecurity staff - and physicians and support staff mostly lack the expertise to implement adequate controls, Hamilton said. "The records they store are just as valuable as those from larger institutions so that the risk/reward calculation is favorable to criminals," he said.

Kate Borten, president of privacy and security consultancy The Marblehead Group, offered a similar assessment. Specialty practices face higher risks than other entities because they have large volumes of individually identifiable data, and they typically have less robust security programs, she said.

"Their security weaknesses may be due to budget constraints and failure to prioritize security and privacy," she added.

The lack of prioritization could come back to haunt them, according to Borten. Many practices face serious post-breach financial pressures and in some cases, even bankruptcy, she said (see: Rural Healthcare Provider Closing Due in Part to Attack Woes).

"If the practice survives, they are apt to invest more in their security program going forward," Borten said.

To help avoid such scenarios, smaller medical practices and specialty healthcare providers can consider using managed and professional security services to "raise the risk bar," Hamilton said. Practices should align their security practices with HHS' cybersecurity performance goals, "at a minimum," he said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.