Cyber Incident Victim: Atlanta Women's Health Group

On June 12, 2023, Atlanta Women’s Health Group, P.C. (AWHG) filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR). This filing was a direct result of the organization learning about a recent cybersecurity incident that had made confidential patient information available to an unauthorized party. The act of filing this notice with HHS-OCR indicated with near certainty that the incident resulted in patients’ protected health information being subject to unauthorized access. The nature of the incident was classified as a “Hacking/IT incident” that specifically targeted AWHG’s network servers. The organization, upon learning of the incident, launched an immediate investigation to understand the full scope and impact of the event.

The investigation confirmed that an unauthorized party had successfully gained access to the company’s IT network. This access allowed the threat actor to view and potentially acquire sensitive consumer data stored on the compromised servers. Following the confirmation that data had been leaked, AWHG began the process of reviewing all affected files to determine the specific types of information that were compromised and to identify the exact number of consumers impacted by this unauthorized access. The breach notification filed with HHS-OCR indicated that the incident affected over 33,000 patients.

The information involved in the breach varied from individual to individual but was confirmed to include patients' names along with other protected health information. While the exact data types were not explicitly confirmed in the initial filing, the nature of the information stored by a healthcare provider suggested the compromised data could have included highly sensitive details such as Social Security numbers, laboratory results, current medication lists, medical diagnoses, and health insurance claims information. The presence of such data significantly elevated the risk of fraud and identity theft for the affected individuals.

On or around the same date as the HHS-OCR filing, June 12, 2023, Atlanta Women’s Health Group began sending out individualized data breach notification letters to all persons whose information was confirmed to have been compromised as a result of the security incident. These letters served to inform patients of the breach and the potential exposure of their personal data. At the time of the initial reporting, AWHG had not yet posted a notice of the incident on its official website nor had it issued a public press release to explain the incident in greater detail, making the HHS-OCR filing the primary source of confirmed information.

The impact of this incident was substantial due to the sensitive nature of the data involved and the large number of individuals affected. As a healthcare provider, Atlanta Women’s Health Group is entrusted with protecting the sensitive personal information it gathers during the course of patient treatment. The breach raised legitimate concerns regarding the organization's data security measures and its ability to safeguard patient information from unauthorized external access. The compromise of protected health information exposes patients to potential financial fraud, medical identity theft, and other forms of personal exploitation.

Atlanta Women’s Health Group, P.C. is a significant entity in the healthcare sector. Founded in 1999, the organization is the product of a merger between several established OB/GYN practices, including Georgia OB/GYN, Northside/Northpoint OB/GYN, Roswell OB/GYN, Peachtree Women’s Clinic, North Atlanta OB/GYN, and North Atlanta Women’s Specialists. This consolidated group consists of more than 40 individual OB/GYN practices located throughout the Atlanta metropolitan area. The scale of its operations is considerable, with the group conducting over 400,000 patient visits annually for a patient base exceeding 300,000 individuals. The organization employs more than 174 people and generates approximately $14 million in annual revenue, indicating its prominent role in providing specialized healthcare services to a large community. The data breach incident directly impacted a portion of this extensive patient population. The response actions taken by AWHG included the formal regulatory notification, an internal investigation to determine the breach's scope, and the direct communication with affected patients to inform them of the event and the potential risks to their personal information.