Several spine and orthopedic groups recently reported cyberattacks as the number of data breaches continues to rise in the healthcare industry. Hackers traditionally have targeted large hospitals and health systems but may see smaller physician practices with less resources as softer targets.
Here are 11 updates from data breaches at spine and orthopedic practices in the last nine months:
1. Durham, N.C.-based EmergeOrtho has notified 75,200 patients that some of their protected health information may have been accessed by unauthorized individuals. On May 18, the practice detected and blocked a ransomware attack on some of its computer systems. EmergeOrtho said most of the affected patients reside in the Coastal region. The practice worked with a team of IT specialists to confirm the security of its computer network and said it is also coordinating with the FBI.
2. Tampa-based Florida Orthopaedic Institute agreed to pay $4 million to settle allegations it failed to protect consumers in a June 2020 ransomware attack. Hackers accessed a server through a ransomware attack on encrypted data stored on the practice's servers. A class-action suit alleged the practice did not properly secure protected health information and sought $99 million on behalf of those affected by the breach. The practice has not admitted any wrongdoing but agreed to establish a $4 million settlement fund to resolve the allegations.
3. Jackson-based Mississippi Sports Medicine and Orthopaedic Center experienced a March 9 data breach that affected the personal information of 500 people. An investigation found that employee email accounts had been accessed by an unauthorized person Jan. 25- March 10, and sensitive files may have been viewed or taken March 3-10. Some patient records were encrypted during the incident and were unable to be recovered.
4. Quincy, Mass.-based Shields Health Care Group experienced a data breach that affected several of its facilities, including Portsmouth, N.H.-based Atlantic Orthopaedics & Sports Medicine and Newton (Mass.) Wellesley Orthopedic Associates. An investigation found an unauthorized party gained access to Shields' computer system March 7. The group provides management and imaging services to various facilities and said the breach likely accessed information to affiliated patients.
5. Christiana Spine Center, a nine-physician group in Newark, Del., was hit by a ransomware attack that could have exposed patients' protected health information, according to a May 31 statement. The practice confirmed its network was accessed by an unauthorized party. An investigation is ongoing.
6. Goodman Campbell Brain and Spine in Carmel, Ind., issued a June 3 alert to patients about a cyberattack that occurred in May. The practice said its computer networks and communications were affected. The full extent of the attack remains under investigation, but it was confirmed that patient and employee data were accessed.
7. Oradell-based New Jersey Brain and Spine was the target of a cyberattack that affected more than 92,000 patients, according to HHS data. New Jersey Brain and Spine began notifying affected individuals March 20.
8. Marion-based Central Indiana Orthopedics suffered a data breach that may have exposed the protected health information of up to 83,705 individuals. On March 7, the practice began sending data breach notifications to people whose information was contained in the affected files.
9. Boca Raton-based IRise Florida Spine and Joint Institute was hit with a data breach that affected 61,595 individuals. Employees at the practice discovered that an email account was accessed by an unauthorized party. A data breach report was submitted to HHS on Jan. 21.
10. Jacksonville, Fla.-based Jax Spine and Pain Centers was hit with a Jan. 24 ransomware attack that affected patient data files created before May 2018.
11. Omaha-based OrthoNebraska was struck with a data breach that put some patient information at risk. On Dec. 1, 2021, an unauthorized party accessed an OrthoNebraska email account, the practice said in a statement. An investigation found the affected data contained personal information. There hasn't been any evidence that the information was used for identity theft or fraud. There also wasn't indication of access to medical records.