Piedmont Healthcare, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Piedmont Healthcare, Inc., a prominent healthcare provider based in Georgia, has been involved in several incidents and legal actions related to data breaches, privacy concerns, and regulatory compliance issues. Here’s a detailed overview of these matters:

Data Security Incident Involving Blackbaud

In September 2020, Piedmont Healthcare announced a data security incident affecting some of its patients due to a breach at Blackbaud, Inc., a third-party service provider used by The Piedmont Healthcare Foundation for fundraising activities. Between February 7 and May 20, 2020, an unauthorized individual accessed Blackbaud’s systems and may have acquired backup copies of databases, including one used by the Foundation. The potentially compromised data included patient names, demographic information, medical record numbers, care facility details, physician names, and some diagnosis information. However, Social Security numbers and financial account information were encrypted and reportedly not accessed. Piedmont Healthcare took steps to understand the incident’s extent and established a dedicated call center to address patient concerns[1].

Alleged Sharing of User Data with Facebook

Piedmont Healthcare faced a class action lawsuit filed in October 2023, alleging the unauthorized transmission of patients’ personal data to Meta Platforms (Facebook) without consent. The lawsuit claimed that from at least 2020 to around June 2022, Piedmont used a tracking code (Meta pixel) on its website and patient portal, which collected and shared patients’ private information with Facebook for advertising purposes. The data allegedly included names, appointment details, medical provider information, medical conditions, and real-time communications with doctors. The lawsuit criticized Piedmont for prioritizing profit over patient privacy rights and failing to inform website visitors about the data sharing[3].

Settlement of False Claims Allegations

In June 2020, Piedmont Healthcare agreed to pay $16 million to settle allegations of violating the False Claims Act. The settlement addressed claims that Piedmont billed Medicare and Medicaid for procedures at the more expensive inpatient level of care instead of the less costly outpatient or observation level of care. Additionally, it resolved allegations that Piedmont paid an above fair market value to acquire Atlanta Cardiology Group in 2007, violating the federal Anti-Kickback Statute. The settlement aimed to address concerns over unnecessary inpatient services and improper financial incentives[5][11].

Phishing Attack at Piedmont Cancer Institute

Piedmont Cancer Institute, part of Piedmont Healthcare, experienced a phishing attack impacting 5,226 patients. An unauthorized individual accessed an employee’s email account between April 5 and May 8, 2020. The compromised account contained protected health information, including names, dates of birth, medical and financial information. Following the breach, Piedmont Cancer Institute implemented multi-factor authentication for its email accounts and provided additional email security training to its workforce[9].

These incidents highlight the challenges Piedmont Healthcare has faced in protecting patient data and complying with healthcare regulations. The organization has taken steps to address these issues, including enhancing security measures and settling legal claims to resolve past allegations.

Citations:

  1. https://www.piedmont.org/media/file/PHC-Notice-Privacy-Incident.pdf
  2. https://www.healthcapital.com/hcc/newsletter/07_20/HTML/PIEDMONT/convert_hc_topics_piedmont_7.20.20.php
  3. https://www.classaction.org/news/piedmont-healthcare-facing-class-action-over-alleged-sharing-of-user-data-with-facebook
  4. https://www.bankinfosecurity.com/piedmont-ciso-on-protecting-hospitals-in-age-covid-19-a-20507
  5. https://www.justice.gov/usao-ndga/pr/atlanta-hospital-system-pay-16-million-resolve-false-claims-allegations
  6. https://theaugustapress.com/augusta-hospital-retiree-litigants-line-up/
  7. https://www.classaction.org/media/td-v-piedmont-healthcare-inc.pdf
  8. https://law.justia.com/cases/federal/district-courts/georgia/gamdce/5:2022cv00280/125760/57/
  9. https://www.hipaajournal.com/piedmont-cancer-institute-phishing-attack-impacts-5000-patients/
  10. https://casetext.com/case/cervalli-v-piedmont-healthcare-inc
  11. https://oig.hhs.gov/fraud/enforcement/atlanta-hospital-system-to-pay-16-million-to-resolve-false-claims-allegations/
Breach Submission Date Sep 29, 2023
Converted Entity Name Piedmont Healthcare, Inc.
Converted Entity Type Healthcare Provider
State GA
Individuals Affected 895
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes