HHS is investigating a phishing attack at Georgia Spine & Orthopaedics of Atlanta.
HHS estimates 7,012 individuals may be affected by the attack, in which scammers got unauthorized access by sending a malicious email at the practice. After learning of the malicious email, Georgia Spine & Orthopaedics took actions to terminate the unauthorized access.
The phishing incident occurred July 11. Georgia Spine & Orthopaedics officials said, "Because of the way the email account was accessed, a desk copy of certain emails was potentially saved onto the computer of the unauthorized third party — likely unintentionally, but we had to assume that the third party retained a copy of the data."
An investigation of the incident found the mailbox of the attacked computer included patient names and other information found in medical records. A few emails contained Social Security numbers and/or driver's license numbers.
The unauthorized access did not extend outside of the single email account. Georgia Spine & Orthopaedics is notifying patients who may have been affected.