Notice of Data Incident
Atlanta, Georgia – November 1, 2023 – Georgia Hand, Shoulder & Elbow, P.C. (“GHSE”) notified certain current and former patients that their personal information may have been accessed as part of a business email compromise. GHSE takes the privacy and security of information in its possession very seriously and sincerely apologizes for any inconvenience this incident may cause. This notice is intended to alert potentially impacted individuals of the incident, steps we are taking in response, and resources available to assist and protect individuals.What Happened On July 5, 2023, Georgia Hand, Shoulder & Elbow, P.C. (“GHSE”) detected suspicious activity within an employee’s business email account. Upon detecting the suspicious activity, GHSE’s IT professionals immediately secured the email environment by disabling the account, locking the email tenant, and resetting passwords. We then promptly engaged third-party forensic specialists to investigate the incident to determine the extent of the unauthorized activity. The forensic investigation determined only one business email account was compromised due to a sophisticated phishing email scheme. After extensive electronic discovery, which concluded on September 15, 2023, we determined an unauthorized third party may have acquired certain individual personal and health information during this incident. GHSE is providing written notice to all impacted individuals. GHSE has no reason to believe that any individual’s information has been misused as a result of this event. As of this writing, GHSE has not received any reports of misuse of information and/or related identity theft since the date the incident was discovered (July 5, 2023 to present).
What Information Was Involved Again, we found no evidence that patient information has been specifically misused. However, the following information could have been acquired and disclosed by an unauthorized third party: first name, last name, address, date of birth, Social Security number, driver license’s number, medical record number, patient ID number, Medicare/Medicaid number, health insurance information, financial account information or credit and debit card numbers, and certain health information. Notably, the types of information affected were different for each individual, and not every individual had all the above listed elements exposed. Additionally, please note that GHSE’s electronic medical records system and your medical records were not impacted in this incident.
What We Are Doing Security and privacy of patient data is among our highest priorities. Upon detecting this incident we moved quickly to initiate a response, which included conducting an investigation with the assistance of IT specialists and confirming the security of our network environment. We have made immediate enhancements to our systems, security and practices. Additionally, we have engaged appropriate experts to assist us in conducting a full review of our security practices and systems to ensure that enhanced security protocols are in place going forward. We are committed to helping those people who may have been impacted by this unfortunate situation.The notification letter to the potentially impacted individuals includes steps that they can take to protect their information. In order to address any concerns and mitigate any exposure or risk of harm following this incident, GHSE has arranged for complimentary credit monitoring services and identity theft protection services to all potentially impacted individuals at no cost to them for a period of twelve months. GHSE recommends that individuals enroll in the services provided and follow the recommendations contained within the notification letter to ensure their information is protected.For More Information For individuals seeking more information or questions about this incident, please call GHSE’s dedicated toll-free helpline at 1-833-770-0673, from 8:00 am to 8:00 pm Eastern Time, Monday through Friday, excluding. In addition, individuals may visit GHSE’s website for more information at https://www.gahand.org/.Thank you for entrusting GHSE with your orthopedic needs. We value the security of the personal data that we maintain, and understand the frustration, concern, and inconvenience that this incident may have caused.