The information of more than 125,000 people had been exposed for a year by the time Bethesda, Md.-based Centers for Advanced Orthopaedics found that it had been the victim of a cyberattack this year, the centers recently informed patients and members of its employee health plan.
On Sept. 17, 2020, the practice identified unusual email activity and launched an investigation into the incident with assistance from cybersecurity experts. On March 25, the group began notifying 125,291 patients, employees and dependents of the cyberattack.
"Multiple employee email accounts were subject to unauthorized access between October 2019 and September 2020," the practice said in a news release. Centers for Advanced Orthopaedics subsequently initiated a data-mining effort to identify potentially affected individuals.
The practice on Jan. 25 determined that protected health information was contained in emails accessible to the cybercriminal, but said it cannot confirm whether this information was accessed or acquired by the individual.
Information exposed in the hacks may include Social Security numbers, passport number and financial account information.
The practice said it is reviewing policies and procedures, assessing its security infrastructure and installing additional safeguards to protect against future cyberattacks.