John Shirek reports that Atlanta Women’s Health Group just notified more than 30,000 patients about a data breach that occurred in April, 2023. As is too often the case, the incident resulted in the theft of patients’ protected health information. 11Alive reproduced part of the letter sent to patients, which says:
“…while the unauthorized user accessed certain files containing personal information of a subset of AWHG patients, AWHGs electronic health record (EHR) systems remained secure and were not exposed in the breach. There is no evidence that any of the accessed information has been improperly used and AWHG has secured evidence that the unauthorized user permanently deleted all compromised data….
“AWHG and our third-party forensic cybersecurity firm has conducted a thorough review and determined that the files that were accessed held documents containing protected health information that may have included demographic information like names, dates of birth, addresses, phone numbers, and patient account numbers; clinical information such as medical history, diagnosis, and treatment plans; and health insurance information, including insurance plans, id numbers, and claims information. Again, after extensive investigation, we do NOT believe any of our patients’ information has been misused, but we are notifying you in an abundance of caution.”
Read more at 11Alive. AWHG’s statement can be found on its website. The statement does not explain why, if they first discovered anomalous activity on the network on April 12, 2023, it took until January 31, 2024 to notify patients when HIPAA and HITECH require notification no later than 60 calendar days from discovery.