Recently, Goodman Campbell Brain and Spine confirmed that the company experienced a data breach after an unauthorized party gained access to the sensitive consumer data contained on the network. According to Goodman Campbell, the breach resulted in personal information belonging to employees and patients being compromised. Goodman Campbell is still investigating the extent of the breach, including what types of data were leaked; however, in the meantime, the company posted notice of the breach on its website.
If you receive a data breach notification from Goodman Campbell in the future or believe you were among those affected by the breach, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Goodman Campbell Brain and Spine data breach, please see our recent piece on the topic here.
More Information About the Goodman Campbell Brain and Spine Data Breach
According to the notice provided on Goodman Campbell’s website, on May 20, 2022, the practice learned that it had fallen victim to a cyberattack affecting its computer network and communications systems. After making this discovery, Goodman Campbell began securing its systems and retained a team of cybersecurity professionals to investigate the incident. The company’s remedial efforts and investigation are both still underway. However, Goodman Campbell confirmed that “initial analysis indicates that both Goodman Campbell patient and employee data has been accessed by an unauthorized party.”
Goodman Campbell Brain and Spine is a healthcare provider based in Carmel, Indiana. Originally founded in 1970 under the name Indianapolis Neurosurgical Group has grown significantly since its early days. Currently, Goodman Campbell Brain and Spine operates nine locations across Indiana, including in Indianapolis, Waukesha, Mooresville, Greenwood, Fishers, Avon and Carmel. Goodman Campbell Brain and Spine employs more than 221 people and generates approximately $40 million in annual revenue.
More About Data Breaches Affecting Personal Health Information
While Goodman Campbell does not yet know the exact data types that were compromised in the recent breach, given what we know so far, it is likely that at least some patients’ protected health information was leaked. Protected health information refers to identifying information relating to a patient’s past, present or future health condition. It can also refer to information pertaining to how a patient pays for their healthcare.
However, healthcare-related data, on its own, isn’t necessarily protected health information. To be considered protected health information, data must contain one or more “identifiers” that can be used to pair up the data with a specific patient. Thus, when protected health information gets exposed, it means that, with a little work, hackers can identify the patient it belongs to.
The harms that can come from a healthcare data breach are very real. Often, the data obtained through this type of data breach provides the hacker with the information they would need to commit identity theft or other frauds. However, identity theft following in the wake of a healthcare data breach is much harder to “fix” and often comes at a far greater cost to the victim than other types of data breaches.
For example, hackers often conduct healthcare data breaches in hopes of obtaining valuable information they can then sell to a third party. The third-party can then use the data they obtained from the hacker to get medical treatment in the victim’s name. This carries financial consequences because the victim’s insurance will get billed for procedures they never had performed. Or, if a patient doesn’t have health insurance, they will be personally responsible for the bill.
The other, more serious risk is that a person who is pretending to be a patient provides the doctor or surgeon with information about themselves that ends up in the patient’s medical record. For example, an imposter patient could provide a doctor with their own list of allergies or the medications they are taking. This can—and often does—result in inaccuracies on a victim’s medical record, which can result in the victim not receiving the appropriate treatment the next time they visit the doctor.