Summit Medical Group, PLLC
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Summit Medical Group, PLLC, based in Tennessee, experienced a data security incident that was publicly disclosed in early 2024. On November 29, 2023, the organization discovered that some patient information had been compromised due to an email phishing attack targeting one of its employees. The employee was deceived into sharing information with an unauthorized individual, believing they were communicating with another employee. This led to the inadvertent disclosure of a spreadsheet containing patient billing information via email. The compromised information varied by patient but may have included patient names, provider names, patient identification numbers, dates of birth, facilities of treatment, dates of service, cost of services, and/or insurance carrier names.
In response to the incident, Summit Medical Group took immediate steps to prevent further unauthorized access and initiated an investigation to understand the scope and impact of the breach. The organization determined that the disclosed spreadsheet contained certain patient information, prompting them to begin mailing notification letters to potentially affected patients starting January 12, 2024.
To address the situation and prevent future incidents, Summit Medical Group implemented additional safeguards and technical security measures to enhance the protection and monitoring of their email system. They also provided additional training to the employee involved in the incident. Furthermore, the organization established a dedicated toll-free call center to answer questions and address concerns related to the incident, available to individuals at (866) 992-0887, Monday to Friday, between 8:00 a.m. and 5:30 p.m. Central Time, excluding major U.S. holidays[2].
This incident is part of a larger trend of cybersecurity challenges facing healthcare organizations, as evidenced by the significant number of healthcare data breaches reported in recent years. The healthcare sector is particularly vulnerable due to the sensitive nature of the data it handles, making it a prime target for cybercriminals[3].
Citations:
- https://www.databreaches.net/summit-health-has-hundreds-of-locations-were-they-victims-of-a-cyberattack-by-lockbit3-0/
- https://www.summitmedical.com/data-security
- https://www.fiercehealthcare.com/health-tech/hca-healthcare-reports-data-breach-potentially-impacting-11m-patients
- https://www.summitmedical.com/patients/privacy
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf?ref=blog.gitguardian.com
- https://healthitsecurity.com/news/p4620/p220/p140/p140/p100/p60/p80/p80/P4900
- https://www.newschannel5.com/news/have-you-been-to-an-hca-facility-where-data-was-stolen-you-should-check
- https://www.prnewswire.com/news-releases/summit-behavioral-healthcare-llc-notifies-customers-of-data-security-incident-301236599.html
- https://www.govinfosecurity.com/victim-list-in-ehr-vendor-hack-grows-as-new-details-emerge-a-19100
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- https://hcahealthcare.com/about/privacy-update.dot
- https://law.justia.com/cases/tennessee/court-of-appeals/2017/m2016-01846-coa-r9-cv.html
- https://www.caseygerry.com/2021/02/28/summit-bhc-data-breach/
- https://newstral.com/en/article/en/1245818830/lockbit3-0-takes-credit-for-ransomware-attack-against-summit-health-raising-concerns-over-potential-data-breach
- https://casetext.com/case/summit-health-inc-v-aps-healthcare-bethesda
- https://www.fiercehealthcare.com/health-tech/commonspirit-health-reported-it-security-incident-affecting-facilities-wash-neb-and