Summit Medical Group, PLLC

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Summit Medical Group, PLLC, based in Tennessee, experienced a data security incident that was publicly disclosed in early 2024. On November 29, 2023, the organization discovered that some patient information had been compromised due to an email phishing attack targeting one of its employees. The employee was deceived into sharing information with an unauthorized individual, believing they were communicating with another employee. This led to the inadvertent disclosure of a spreadsheet containing patient billing information via email. The compromised information varied by patient but may have included patient names, provider names, patient identification numbers, dates of birth, facilities of treatment, dates of service, cost of services, and/or insurance carrier names.

In response to the incident, Summit Medical Group took immediate steps to prevent further unauthorized access and initiated an investigation to understand the scope and impact of the breach. The organization determined that the disclosed spreadsheet contained certain patient information, prompting them to begin mailing notification letters to potentially affected patients starting January 12, 2024.

To address the situation and prevent future incidents, Summit Medical Group implemented additional safeguards and technical security measures to enhance the protection and monitoring of their email system. They also provided additional training to the employee involved in the incident. Furthermore, the organization established a dedicated toll-free call center to answer questions and address concerns related to the incident, available to individuals at (866) 992-0887, Monday to Friday, between 8:00 a.m. and 5:30 p.m. Central Time, excluding major U.S. holidays[2].

This incident is part of a larger trend of cybersecurity challenges facing healthcare organizations, as evidenced by the significant number of healthcare data breaches reported in recent years. The healthcare sector is particularly vulnerable due to the sensitive nature of the data it handles, making it a prime target for cybercriminals[3].

Citations:

  1. https://www.databreaches.net/summit-health-has-hundreds-of-locations-were-they-victims-of-a-cyberattack-by-lockbit3-0/
  2. https://www.summitmedical.com/data-security
  3. https://www.fiercehealthcare.com/health-tech/hca-healthcare-reports-data-breach-potentially-impacting-11m-patients
  4. https://www.summitmedical.com/patients/privacy
  5. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf?ref=blog.gitguardian.com
  6. https://healthitsecurity.com/news/p4620/p220/p140/p140/p100/p60/p80/p80/P4900
  7. https://www.newschannel5.com/news/have-you-been-to-an-hca-facility-where-data-was-stolen-you-should-check
  8. https://www.prnewswire.com/news-releases/summit-behavioral-healthcare-llc-notifies-customers-of-data-security-incident-301236599.html
  9. https://www.govinfosecurity.com/victim-list-in-ehr-vendor-hack-grows-as-new-details-emerge-a-19100
  10. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  11. https://hcahealthcare.com/about/privacy-update.dot
  12. https://law.justia.com/cases/tennessee/court-of-appeals/2017/m2016-01846-coa-r9-cv.html
  13. https://www.caseygerry.com/2021/02/28/summit-bhc-data-breach/
  14. https://newstral.com/en/article/en/1245818830/lockbit3-0-takes-credit-for-ransomware-attack-against-summit-health-raising-concerns-over-potential-data-breach
  15. https://casetext.com/case/summit-health-inc-v-aps-healthcare-bethesda
  16. https://www.fiercehealthcare.com/health-tech/commonspirit-health-reported-it-security-incident-affecting-facilities-wash-neb-and
Breach Submission Date Jan 12, 2024
Converted Entity Name Summit Medical Group, PLLC
Converted Entity Type Healthcare Provider
State TN
Individuals Affected 4,135
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes