Records of more than half a million patients were compromised earlier this year when cyber criminals breached the systems of Atlanta-based Peachtree Orthopedics.
The hacking was the largest data breach of a medical-related group in Georgia this year, and the sixth-largest in the health care sector in the nation in 2016, according to data obtained from the federal government by Channel 2 Action News.
Criminals have breached a number of high-profile targets in recent years, including the payments systems of Home Depot, the accounts of at least a half billion Yahoo users and the information of hundreds of thousands of taxpayers held by the Internal Revenue Service.
Peachtree notified patients in October of the breach, which occurred in September. The company said it is cooperating with the FBI and forensic experts in an investigation into the matter.
Peachtree Orthopedics said patient names, addresses, email addresses, birth dates and in some cases Social Security numbers might have been stolen.
The practice has offered a year of identity protection services and credit monitoring for affected patients.
In a statement, Peachtree said: “We remain focused on caring for our patients and supporting those affected, and we are working closely with outside experts as part of an ongoing review of our security measures.”
Peachtree Orthopedics has offices in Alpharetta, Buckhead, College Park, Cumming, Duluth, East Cobb, Sandy Springs and Woodstock.
Medical organizations, including practices, hospitals and health insurers, are tempting targets for nefarious actors, said Paul Stephens, director of policy and advocacy at California-based Privacy Rights Clearinghouse.
Electronic health records can include such sensitive information as patient medical histories, Social Security numbers and other personal identifiers and payment information such as credit card numbers, he said.
“I would say health care organizations are one of the prime targets for hackers,” Stephens said. “It’s a wealth of information for people of ill-intent to get their hands on.”
Privacy Rights Clearinghouse has tallied 282 reported breaches of medical organizations in the U.S. so far this year, totaling nearly 4 million known patient records.
The organization defines a record as any compromised file of personal information that includes sensitive data such as Social Security numbers, financial account numbers or driver’s license numbers.
In 2015, the group recorded 82 reported breaches of medical firms in the U.S., accounting for more than 8.7 million known patient records. In 2014, Privacy Rights Clearinghouse said 77 reported breaches involved nearly 5 million patient records.
At the time Peachtree Orthopedics notified patients of the hacking, the number of patients affected was not disclosed.
Peachtree Orthopedics reported last month to the U.S. Department of Health and Human Services that 531,000 individuals’ records were compromised, according to the database obtained by Channel 2. As is typical with such incidents, the number of people whose identity has been stolen so far either isn’t known or hasn’t been disclosed.
A breach does not necessarily mean a person’s identity will be stolen. But once information is exposed, the damage may not be apparent for years, Stephens said.
He recommends consumers use free services offered by the company, but also research other protective measures.
“Once that information is out there you can’t get it back,” he said. “There is nothing to stop a criminal from using the information they get several years down the road.”