On September 2, 2022, Physicians’ Spine and Rehabilitation Specialists of Georgia confirmed that the company suffered a data breach after an unauthorized party gained access to sensitive consumer data through an apparent ransomware attack. According to The Physicians Spine and Rehabilitation Specialists, the breach resulted in the compromise of specific individuals’ names, addresses, phone numbers, dates of birth, social security numbers, driver’s license numbers, medical diagnoses, medical treatment information, and insurance information. Recently, Physicians’ spine and rehabilitation specialists sent out privacy breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other scams.

What we know about the data breach of doctors’ spine and rehabilitation specialists

News of the Physicians Spine and Rehabilitation Specialists breach came from the practice’s official filing with the US Department of Health and Human Services Office for Civil Rights, as well as a notice on the practice’s website. According to these sources, on July 11, 2022, doctors’ spine and rehabilitation specialists learned that the practice had been the target of a cyberattack. Apparently, the attack took place a week before the company discovered the incident, and the hackers claim to have accessed and removed certain confidential information. The hackers also stated that they are ready to release the stolen data.

After learning of the cyberattack, Physicians Spine and Rehabilitation Specialists secured its computer network, contacted law enforcement, and began working with an outside cybersecurity firm to assist in the company’s investigation. This investigation confirmed that sensitive information was accessible to the hackers.

When it was determined that confidential consumer data was being accessed by unauthorized individuals, Physicians’ spine and rehabilitation specialists reviewed the affected files to determine which information was compromised and which consumers were affected. While the information breached will vary from person to person, it may include your name, address, phone number, date of birth, social security number, driver’s license number, medical diagnosis information, medical treatment information, and insurance information.

On September 2, 2022, The Physicians’ Spine and Rehabilitation Specialists sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. According to the US Department of Health and Human Services and the US Department of Health and Human Services Office of Civil Rights, 39,765 people were affected by the Physicians’ Spine and Rehabilitation Specialists of Georgia data breach.

Learn more about Georgia’s Spine and Rehabilitation Specialists

The Physicians’ Spine and Rehabilitation Specialists of Georgia are a practice group of physicians based in Rome, Georgia. The practice focuses exclusively on the non-surgical management of pain, providing patients with injections, nerve blocks and nerve stimulators, and minimally invasive procedures to treat tendonitis. The Physicians’ Spine and Rehabilitation Specialists employs more than 85 people and has annual sales of approximately $17 million.

Was Georgia Doctors’ Spine and Rehabilitation Specialists Data Breach the Result of a Ransomware Attack?

In the letter from Physicians’ Spine and Rehabilitation Specialists of Georgia to victims of the recent data breach, the company described what appeared to be a ransomware attack. For example, the letter states that the group responsible for the attack “claims to have taken certain information/recordings that may be made public”. Although the letter doesn’t elaborate, it’s highly likely that the group of hackers encrypted parts of the Physicians’ Spine and Rehabilitation Specialists network and then threatened to publish the stolen data on the dark web if the company didn’t pay the requested sum paid hostage.

Encryption is a process that encrypts files so that no one can access them without the encryption key (which is usually a password). Individuals and companies encrypt files every day to protect sensitive data from unauthorized access. However, cybercriminals also use encryption when performing certain types of cyberattacks – typically ransomware attacks.

Although Physicians’ Spine and Rehabilitation Specialists did not specifically state that the incident was due to a ransomware attack, this is a good indication that it was the case.

A ransomware attack occurs when a hacker installs malware that encrypts files on a victim’s computer. When the attack victim logs back on to their computer, they receive a message explaining that they must pay a ransom if they want access to their computer again. If the company pays the ransom, the hackers will decrypt the files. Generally, hackers keep their word about decrypting files after a company has paid a ransom, otherwise companies would have no incentive to pay a ransom.

However, as seems to be the case here, hackers have recently threatened to publish the stolen data on the dark web if a company does not pay the ransom. While the FBI advises companies not to pay a ransom after a ransomware attack, companies that experience a ransomware attack are in a difficult position as many would prefer to quietly pay a ransom to avoid that news of the breach becomes public.

Of course, companies can – and should – take preventive measures to avoid becoming the target of a ransomware attack in the first place. For example, educating employees about the risks of phishing emails and developing state-of-the-art data security systems are two relatively easy steps organizations can take to prevent these attacks. Unfortunately, despite widespread knowledge about the risks of ransomware attacks, many organizations fail to devote adequate resources to preventing ransomware attacks.

Individuals who receive a data breach letter from Physicians’ Spine and Rehabilitation Specialists of Georgia are advised to take additional precautions to ensure the security of their information. As we’ve discussed before, while it’s up to an organization to prevent a data breach, there are still steps you can take to protect yourself. To learn more about how to protect yourself from being a victim of fraud and to view a copy of the Physicians’ Spine and Rehabilitation Specialists of Georgia Privacy Breach Letter, click here.