On August 6, 2024, Atlantic Orthopaedic Specialists, also known as Vann Virginia Center for Orthopaedics, discovered unauthorized access to one of its corporate email accounts.
An immediate investigation occurred with the help of cybersecurity experts to assess the breach’s scope. The investigation revealed that an unauthorized third party accessed and possibly removed files from email accounts between June 20 and August 6, 2024. These files contained sensitive information including names and Social Security numbers.
On October 28, 2024, after a detailed forensic review, Atlantic Orthopaedic confirmed the potential exposure of protected health information (PHI). Although there was no evidence of misuse, the organization began notifying affected individuals on November 22, 2024.
The data breach was an email account compromise. Unauthorized access to one corporate email account allowed third parties to view and remove files. This type of breach is often linked to phishing attacks and weak security protocols.
As email counts contain a record of all the company's activities, this breach leaves patients and Atlantic Orthopaedic vulnerable for years to the threat of blackmail or fraud.
Related: HIPAA Compliant Email: The Definitive Guide
It happens when unauthorized people gain access to information through hacking, accidental leaks, or weak security systems.
It scrambles information into a code so that only authorized people can read it.
Protected health information is any health-related information that could be used to identify someone.