On September 2, 2022, the Physicians’ Spine and Rehabilitation Specialists of Georgia confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data through what appears to be a ransomware attack. According to The Physicians Spine and Rehabilitation Specialists, the breach resulted in the names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical diagnoses, medical treatment information, and insurance information of certain individuals being compromised. Recently, the Physicians Spine and Rehabilitation Specialists sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
What We Know About the Physicians’ Spine and Rehabilitation Specialists' Data Breach
News of the Physicians Spine and Rehabilitation Specialists data breach comes from the practice’s official filing with the U.S. Department of Health and Human Services Office for Civil Rights as well as a notice posted on the practice’s website. According to these sources, on July 11, 2022, the Physicians Spine and Rehabilitation Specialists became aware that the practice had been the target of a cyberattack. Evidently, the attack occurred the week prior to the company’s discovery of the incident, and the hackers claim to have accessed and removed certain sensitive information. The hackers also indicated that they were willing to post the data they stole.
After learning of the cyberattack, Physicians Spine and Rehabilitation Specialists secured its computer network, contacted law enforcement, and began working with an outside cybersecurity firm to assist with the company’s investigation. This investigation confirmed that sensitive information was accessible to the hackers.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, the Physicians’ Spine and Rehabilitation Specialists reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, phone number, date of birth, Social Security number, driver’s license number, medical diagnoses information, medical treatment information, and insurance information.
On September 2, 2022, The Physicians’ Spine and Rehabilitation Specialists sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. According to the U.S. Department of Health and Human Services Office for Civil Rights, the Physicians’ Spine and Rehabilitation Specialists of Georgia data breach affected 39,765 people.
More Information About The Physicians’ Spine and Rehabilitation Specialists of Georgia
The Physicians’ Spine and Rehabilitation Specialists of Georgia is a practice group of physicians based in Rome, Georgia. The practice is exclusively focused on non-surgical treatment of pain management and provides patients with injections, nerve blocks, and nerve stimulators, as well as minimally invasive procedures to treat tendonitis. The Physicians’ Spine and Rehabilitation Specialists employs more than 85 people and generates approximately $17 million in annual revenue.
Was the Physicians’ Spine and Rehabilitation Specialists of Georgia Data Breach the Result of a Ransomware Attack?
In the data breach letter Physicians’ Spine and Rehabilitation Specialists of Georgia sent to victims of the recent data security incident, the company described what appears to have been a ransomware attack. For example, the letter notes that the group responsible for the attack “claims to have taken certain information/records that could be posted.” While the letter doesn’t elaborate beyond this, it is very likely that the group of hackers encrypted portions of the Physicians’ Spine and Rehabilitation Specialists network and then threatened to publish the stolen data on the dark web if the company did not pay the demanded ransom.
Encryption is a process that encodes files, making them inaccessible to anyone without the encryption key (which is usually a password). Individuals and companies encrypt files every day to protect sensitive data from unauthorized access. However, cybercriminals also use encryption when carrying out certain types of cyberattacks—usually ransomware attacks.
So, while Physicians’ Spine and Rehabilitation Specialists did not explicitly state the incident was due to a ransomware attack, it’s a good indication that was the case.
A ransomware attack occurs when a hacker installs malware that encrypts the files on a victim’s computer. When the victim of the attack logs back on to their computer, they receive a message explaining that if they want to regain access to their computer, they must pay a ransom. If the company pays the ransom, the hackers decrypt the files. Generally, hackers keep their word to decrypt files after a company pays a ransom because, if they didn’t, companies would have no incentive to pay a ransom.
However, as appears to be the case here, hackers have recently started to threaten to publish the stolen data on the dark web if a company does not pay the ransom. While the FBI advises companies not to pay ransoms following a ransomware attack, companies experiencing a ransomware attack are in a difficult position because many would prefer to quietly pay a ransom to avoid news of the breach becoming public.
Of course, companies can—and should—take preventative steps to avoid becoming the target of a ransomware attack in the first place. For example, training employees about the risks of phishing emails and developing state-of-the-art data security systems are two relatively easy things companies can do to prevent these attacks. Unfortunately, despite the widespread knowledge of the risks of ransomware attacks, many companies fail to devote adequate resources to the prevention of ransomware attacks.
Individuals who receive a data breach letter from Physicians’ Spine and Rehabilitation Specialists of Georgia are advised to take additional precautions to secure the safety of their information. As we’ve previously discussed, while it is up to a company to prevent a data breach, there are still steps you can take to protect yourself. To learn more about how to protect yourself from becoming a victim of fraud and to review a copy of the Physicians’ Spine and Rehabilitation Specialists of Georgia data breach letter, click here.