An unauthorized party accessed Albany Gastro’s systems in November 2024, compromising sensitive data, including Social Security numbers.
What happened
Albany Gastroenterology Consultants (Albany Gastro) experienced a cybersecurity breach that began around November 10, 2024. The breach was discovered on November 19 after the organization noticed unusual activity that disrupted access to one of its systems. A digital forensics investigation later confirmed that an unknown actor accessed and acquired certain personal information without authorization.
The compromised data included names and Social Security numbers of patients. According to a disclosure filed, the breach affected 57,751 individuals.
Going deeper
Following the breach, Albany Gastro initiated a detailed review of the impacted data, concluding its analysis by January 21, 2025. The organization then began notifying affected individuals and coordinating response efforts.
To mitigate risks, Albany Gastro brought in a third-party cybersecurity firm to perform a forensic investigation and has reported the incident to the FBI. The organization is actively cooperating with any ongoing investigations.
What was said
In public disclosures, Albany Gastro confirmed its collaboration with federal authorities and stated its commitment to securing its systems. Affected individuals are being offered complimentary identity protection services through IDX, including:
- 12 or 24 months of credit and CyberScan monitoring
- A $1 million insurance reimbursement policy
- Fully managed identity theft recovery support
Notifications sent to impacted individuals include instructions for enrolling in these services, which are available through April 28, 2025.
FAQs
Why are healthcare providers like Albany Gastro prime targets for cyberattacks?
Providers store a high concentration of sensitive data, including Social Security numbers and medical records, which makes them attractive to attackers. Breaches at even mid-sized practices highlight that no organization is “too small” to be targeted.
What can other organizations learn from Albany Gastro’s response?
They immediately engaged a third-party cybersecurity firm, notified law enforcement, and conducted a forensic review. This shows the need to have an incident response plan that includes external experts and clear reporting protocols.
How should providers handle breach notifications and timelines?
Albany Gastro completed its data review within two months and began issuing notifications. Organizations should ensure they can meet HIPAA and state-specific timelines, with processes in place for rapid identification, analysis, and communication of incidents.
What part does patient communication play in breach response?
Patients were offered identity protection and credit monitoring services, which help preserve trust. For providers, transparent and proactive communication with patients, regulators, and business partners is needed to limit reputational and regulatory damage.
What steps should organizations take now to reduce exposure?
Providers should reassess vendor relationships, update their security monitoring tools, and ensure encryption, multi-factor authentication, and secure communication platforms are in place. Investing in HIPAA-compliant secure email and messaging solutions can help prevent PHI from being exposed through weak channels.
Farah Amod
