An unauthorized party accessed Albany Gastro’s systems in November 2024, compromising sensitive data, including Social Security numbers.
Albany Gastroenterology Consultants (Albany Gastro) experienced a cybersecurity breach that began around November 10, 2024. The breach was discovered on November 19 after the organization noticed unusual activity that disrupted access to one of its systems. A digital forensics investigation later confirmed that an unknown actor accessed and acquired certain personal information without authorization.
The compromised data included names and Social Security numbers of patients. According to a disclosure filed, the breach affected 57,751 individuals.
Following the breach, Albany Gastro initiated a detailed review of the impacted data, concluding its analysis by January 21, 2025. The organization then began notifying affected individuals and coordinating response efforts.
To mitigate risks, Albany Gastro brought in a third-party cybersecurity firm to perform a forensic investigation and has reported the incident to the FBI. The organization is actively cooperating with any ongoing investigations.
In public disclosures, Albany Gastro confirmed its collaboration with federal authorities and stated its commitment to securing its systems. Affected individuals are being offered complimentary identity protection services through IDX, including:
Notifications sent to impacted individuals include instructions for enrolling in these services, which are available through April 28, 2025.
Providers store a high concentration of sensitive data, including Social Security numbers and medical records, which makes them attractive to attackers. Breaches at even mid-sized practices highlight that no organization is “too small” to be targeted.
They immediately engaged a third-party cybersecurity firm, notified law enforcement, and conducted a forensic review. This shows the need to have an incident response plan that includes external experts and clear reporting protocols.
Albany Gastro completed its data review within two months and began issuing notifications. Organizations should ensure they can meet HIPAA and state-specific timelines, with processes in place for rapid identification, analysis, and communication of incidents.
Patients were offered identity protection and credit monitoring services, which help preserve trust. For providers, transparent and proactive communication with patients, regulators, and business partners is needed to limit reputational and regulatory damage.
Providers should reassess vendor relationships, update their security monitoring tools, and ensure encryption, multi-factor authentication, and secure communication platforms are in place. Investing in HIPAA-compliant secure email and messaging solutions can help prevent PHI from being exposed through weak channels.