The Colorado-based Gastroenterology center recently notified over 300,000 patients of a data breach.
What happened
In late November, Rocky Mountain Gastroenterology Associates PLLC (“RMG”) began notifying patients of a hacking incident that exposed patient information.
The center reported the data breach the Department of Health and Human Services, as required by law for breaches impacting more than 500 people, on November 13th, 2024. At or around the same time, the company also began issuing alerts to impacted patients.
According to the HHS report, the breach impacted 366,491 individuals.
Going deeper
RMG is considered the largest GI practice in the Rocky Mountain region, operating 15 offices, six Endoscopy Centers, and one pathology laboratory.
In November, the company began providing notices of a breach that RMG became aware of several months prior, on September 13th, 2024. Once RMG was alerted to unusual activity in their IT environment, the organization immediately took steps to secure their system and notify law enforcement. RMG also engaged with a third-party forensic firm to assist in the investigation.
Through the investigation, RMG said they “determined that an unauthorized party accessed certain files from its network.”
Files included information like dates of birth, addresses, medical record numbers, patient account numbers, Social Security numbers, health insurance identification numbers, diagnoses and treatment information.
For impacted patients, RMG is recommending “they review the statements they receive from their healthcare providers and health insurance plans.” If patients discover any listed services they did not receive, they should contact the provider or health plan.
The company added, “We take this incident very seriously and sincerely regret any concern this may cause.” RMG stated they have implemented additional safeguards and security measures to prevent future breaches.
The big picture
Breaches like these are increasingly common and can affect organizations of any size. While some breaches affect only a small number of patients, others can impact hundreds of thousands. Many patients may find themselves the victims of multiple breaches, increasing their chances of facing fraud or identity theft.
With breaches becoming more frequent, so are lawsuits. It’s now common for victims to file class action lawsuits. RMG is currently being investigated by at least two firms interested in pursuing legal action. If the firms believe their cases have validity, they will likely be consolidated and RMG may have to decide to go to court or settle the case.
While these breaches may feel normal, they don’t need to be. The vast majority of breaches can be prevented with the right security systems in place. Many breaches begin with email, but tools like Paubox can provide additional layers of safety that keep patients' and employees’ data secure.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
