Cyber Incident Victim: Family Medical Center
Date:
Feb 2021
Location:
United States of America
Summary
A Georgia-based medical provider experienced unauthorized access to patient data, compromising names, addresses, dates of birth, and Social Security numbers for over 79,000 individuals. The breach occurred when stolen files were discovered on a third-party computer by law enforcement, though the attacker did not access the organization’s medical records database or obtain healthcare or financial information. The access point used by the hacker was identified and eliminated months after the incident. Affected patients were offered complimentary identity protection and credit-monitoring services for one year.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Family Medical Center, managed by Gore Medical Management, experienced a data breach involving unauthorized access to patient information. The incident came to light when the Federal Bureau of Investigation (FBI) notified the medical center in November 2020 that stolen patient files had been discovered on a third-party computer system not affiliated with the healthcare provider. This external computer did not form part of Family Medical Center’s operational infrastructure. The stolen data contained personal identifiers of 79,100 patients, including full names, residential addresses, dates of birth, and Social Security numbers. Notably, the compromised information did not extend to healthcare records such as medical histories, treatment details, or diagnostic information, nor did it include financial data like credit card numbers or banking details. The medical center formally reported the breach to the U.S. Department of Health and Human Services (HHS) on February 8, 2021, nearly three months after the FBI’s initial notification.
Investigations revealed that the attacker did not penetrate Family Medical Center’s primary medical records database to acquire the stolen files. Instead, the breach occurred through an unidentified access point that the hacker exploited to extract the data. The medical center identified and closed this vulnerability several months after the breach occurred, though the exact timeline of the initial intrusion remains unspecified in public disclosures. As a direct consequence of the incident, all affected individuals were offered one year of complimentary identity protection services and credit monitoring to mitigate risks of identity theft or financial fraud. The medical center’s public notification emphasized the absence of compromised medical or financial records while acknowledging the exposure of sensitive personally identifiable information. No operational disruptions to clinical services or additional system compromises were reported in connection with the event.