Topics
More on Operations

Athens Orthopedic Clinic will not pay for credit monitoring for breach victims

Hacker stole and publicized personal information of patients in a breach affecting 200,000, AOC says.

Beth Jones Sanborn, Managing Editor

Picture via Google Earth

Following a data breach that compromised the medical information of hundreds of thousands of patients, Athens Orthopedic Clinic says they can not pay for credit monitoring for those affected, the clinic announced in a statement.

AOC said in a special message on their website that they discovered the hack on June 28, though it actually occurred on June 14, and immediately hired cyber-security experts and notified the FBI. They chose not to publicly disclose the breach so as not to interfere with the investigation or incite the hacker into a mass public release of data.

The hack was perpetrated through the use of a third-party vendor's log-in credentials. That vendor has been terminated, AOC said. They did not identify the vendor specifically but referred to them as a "nationally-known healthcare information management contractor".

They said it also took several weeks to confirm which patients' information was taken, and what specifically was stolen. However once the hacker made some of the info public, AOC informed those who were potentially affected and the public at large, putting statements on their website and social media, and working on a mass mailing of letters to the 200,000 affected patients.

[Also: 'Dark Overlords' suspected in Athens Orthopedic Clinic data breach]

Clinic CEO Kayo Elliott said the hacker has attempted to extort a large ransom from them, and have expended significant resources making sure their system is now secure, though that may be little consolation to those whose information was compromised and worry about potential fraud.

"They wish we could pay for extended credit monitoring.  So do we. We truly regret that we are unable to do so, as we are not able spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business.  I recognize and am truly sorry for the position this puts our patients in," Elliott said in a statement.

AOC said the information stolen includes names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history personal information of current and former patients. They stressed that no banking or payment information is stored at AOC and was therefore not compromised in the breach.

Twitter: @BethJSanborn