Peachtree notified patients in October of the breach, which occurred in September. The company said it is cooperating with the FBI and forensic experts in an investigation into the matter.
Peachtree Orthopedics said patient names, addresses, email addresses, birth dates and in some cases Social Security numbers might have been stolen.
The practice has offered a year of identity protection services and credit monitoring for affected patients.
In a statement, Peachtree said: “We remain focused on caring for our patients and supporting those affected, and we are working closely with outside experts as part of an ongoing review of our security measures.”
Peachtree Orthopedics has offices in Alpharetta, Buckhead, College Park, Cumming, Duluth, East Cobb, Sandy Springs and Woodstock.
Medical organizations, including practices, hospitals and health insurers, are tempting targets for nefarious actors, said Paul Stephens, director of policy and advocacy at California-based Privacy Rights Clearinghouse.
Electronic health records can include such sensitive information as patient medical histories, Social Security numbers and other personal identifiers and payment information such as credit card numbers, he said.
“I would say health care organizations are one of the prime targets for hackers,” Stephens said. “It’s a wealth of information for people of ill-intent to get their hands on.”
Privacy Rights Clearinghouse has tallied 282 reported breaches of medical organizations in the U.S. so far this year, totaling nearly 4 million known patient records.
The organization defines a record as any compromised file of personal information that includes sensitive data such as Social Security numbers, financial account numbers or driver’s license numbers.
In 2015, the group recorded 82 reported breaches of medical firms in the U.S., accounting for more than 8.7 million known patient records. In 2014, Privacy Rights Clearinghouse said 77 reported breaches involved nearly 5 million patient records.
At the time Peachtree Orthopedics notified patients of the hacking, the number of patients affected was not disclosed.
Peachtree Orthopedics reported last month to the U.S. Department of Health and Human Services that 531,000 individuals’ records were compromised, according to the database obtained by Channel 2. As is typical with such incidents, the number of people whose identity has been stolen so far either isn’t known or hasn’t been disclosed.
A breach does not necessarily mean a person’s identity will be stolen. But once information is exposed, the damage may not be apparent for years, Stephens said.
He recommends consumers use free services offered by the company, but also research other protective measures.
“Once that information is out there you can’t get it back,” he said. “There is nothing to stop a criminal from using the information they get several years down the road.”
Peachtree Orthopedics breach
Patients affected: 531,000
Date confirmed: Sept. 22
Information exposed: Names, home and email addresses, birth dates and potentially Social Security numbers, treatment codes and prescription information
Sources: U.S. Department of Health and Human Services database, Peachtree Orthopedics