PHI Exposed Due to Data Breaches at Gore Medical Management and Pennsylvania Adult & Teen Challenge

Medical practice company Gore Medical Management based in Griffin, GA has discovered a historic data breach affecting the protected health information (PHI) of 79,100 people. The breach happened in 2017 and affected patients of Family Medical Center based in Thomaston, which is right now connected to Upson Regional Medical Center.

In November 2020, the Federal Bureau of Investigation informed Gore Medical Management that a third-party computer was retrieved during an investigation which was discovered to consist of the PHI of Family Medical Center patients.

It was confirmed by the breach investigation that a hacker exploited a vulnerability to obtain access to the Family Medical Center’s network. The vulnerability was identified and fixed a few months after the breach, but the breach itself was not discovered back then. The medical record system wasn’t affected, however, files containing names, addresses, dates of birth, and Social Security numbers were copied. There was no financial data or healthcare data involved.

There does not appear to be further access of its systems or any other information transfers since 2017. Gore Medical Management has already sent notifications to all impacted patients and has provided them a 12-month identity theft protection and credit monitoring service membership.

Pennsylvania Adult & Teen Challenge Detected Compromised Email Accounts With PHI of 7,771 People

Pennsylvania Adult & Teen Challenge located in Rehrersburg, PA reported that an unauthorized individual acquired access to employee email accounts that held the PHI of 7,771 individuals. This provider offers addiction treatment programs for adults and youth.

On July 29, 2020, the provider detected suspicious activity in an email account and took steps to stop continual access and check out the breach. The investigation affirmed that an unauthorized person accessed selected email accounts from July 27, 2020 to July 30, 2020.

A forensic investigation was carried out, and the compromised accounts were evaluated to determine the records possibly obtained by the attacker. The review process was finished on December 29, 2020.

The types of information contained in the accounts vary from one person to another and might have included names together with one or more of the following data elements: date of birth, financial account details, payment card details, driver’s license number, Social Security Number, prescription data, diagnosis data, treatment data, treatment provider, health insurance details, medical data, Medicare/Medicaid ID number, employer identification number, electronic signature, username, and password.

It was not possible to know if the hacker accessed or obtained data in the email accounts, but no report was acquired thus far that indicates the misuse of any patient information. Notification letters were recently sent to affected persons and free identity theft protection services were given.