On August 17, 2023, SouthCoast Medical Group (Southcoast Health) in Georgia notified HHS of a breach and posted a preliminary substitute notice on its website. At the time, they reported to HHS that 501 patients were affected, a marker for when an entity doesn’t yet know the actual number but knows it will be more than the 500 that triggers timely notification to HHS. The SouthCoast incident was one of more than 50 incidents that Protenus’s Breach Barometer report noted used a marker in 2023 that wasn’t updated by the end of the year.
Almost one year later, on July 5, 2024, SouthCoast Health and Privia Medical Group of Georgia notified South Carolina that 32,835 South Carolinians were affected by the June 2023 incident. The notification included a copy of the letter being sent to affected patients. SouthCoast also updated its substitute notice, emphasizing that the breach involved only its network and not Privia’s network.
In its notification letter, SouthCoast reported that the incident occurred between June 15 and June 18, 2023, and was discovered on June 18, 2023. The types of information involved varied by individual but included name, Social Security number, passport number, driver’s license number, vehicle license plate number, state identification number, military identification number, student identification number, taxpayer identification number, date of birth, copy of birth certificate, copy of marriage certificate, mother’s maiden name, medical information, health insurance information, email/username and password or security questions and answers, financial account information, payment card information, and electronic/digital signature. From the data types, it sounds like both employee and patient information may have been accessed or acquired.
What We Still Don’t Know
SouthCoast’s entry on HHS has yet to be updated so we still do not know the total number of patients affected. Nor do we know whether there was any ransom demand or if any group claimed responsibility for this attack. DataBreaches emailed Privia to ask whether the attack on SouthCoast was a ransomware attack, whether there was any ransom/extortion demand, what group was responsible for the attack, and whether Privia knows where the stolen data are now. No reply was immediately received.
The SouthCoast Health incident is the third incident in June 2023 where patients are first being notified. As DataBreaches reported this week, another Georgia entity, SysInformation Health dba EqualizeRCM, discovered a ransomware attack on June 18, 2023, and is now notifying patients. And also in June 2023, Florida Community Health Centers discovered a ransomware attack and is now notifying almost 300,000 patients. That makes three incidents in June 2023, two of which were confirmed ransomware attacks, where it has not been publicly disclosed who was responsible for any of these attacks. Three incidents that were so bad that it took the entities a year to figure out who was affected and whom to notify. Three incidents, two of which were confirmed ransomware attacks, where the data have not shown up on any leak site or forum. Is it all just coincidence or is one group responsible for two or all three of these attacks?