Getty Images/iStockphoto

Neurology Practice Notifies 363K of Data Breach, PHI Released on Dark Web

Indiana-based Goodman Campbell Brain and Spine notified nearly 363,000 individuals of a data breach that resulted in PHI being posted on the dark web.

Indiana-based neurology practice Goodman Campbell Brain and Spine notified 362,833 individuals of a data breach that occurred in May. With a level of specificity that is uncommon in data breach notifications, Goodman Campbell also noted that the cyber criminals responsible for the attack posted protected health information (PHI) on the dark web, where it was available for 10 days.

On May 20, Goodman Campbell discovered that its computer network and communication systems had been “compromised through a sophisticated ransomware attack.”

The practice said it immediately notified the Federal Bureau of Investigation (FBI) cybercrimes division and engaged an incident response firm to investigate the incident and restore systems. The attacker did not manage to access the practice’s EMR system, but did successfully access appointment schedules, insurance eligibility documentation, and referral forms.

The impacted information potentially included names, birth dates, email addresses, medical record numbers, patient account numbers, phone numbers, physician names, treatment information, addresses, insurance information, dates of service, and Social Security numbers.

In a June 17 update on its website, the practice stated that its phone systems had been restored, but its email system was still not fully restored. A July 19 update assured patients and employees that Goodman Campbell had resumed all clinical operations and had fully restored its communication systems.

“While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the Dark Web, which is a portion of the internet that cannot be found by search engines and is not viewable in a standard web browser and is commonly used in these types of attacks,” the July notice to patients stated.

“We take the privacy and security of information entrusted to us seriously and we deeply regret that this attack on our systems occurred. We took several steps to mitigate the impact of the incident, including conducting an investigation with the assistance of IT specialists, confirming the security of our internal network and systems and implementing new monitoring solutions to protect against future cyber attacks.”

Goodman Campbell Brain and Spine offered impacted individuals complimentary credit monitoring services.

Next Steps

Dig Deeper on Healthcare data breaches