On March 27, 2025, Georgia Urology announced that a cyberattack compromised two employee email accounts, exposing 12,398 current and former patients' protected health information (PHI).
What happened
Georgia Urology, the largest urology practice in the Southeastern United States, recently disclosed a data breach after unauthorized access was detected in two employee email accounts. The incident was initially discovered on October 25, 2024.
In response, the organization enlisted third-party cybersecurity experts to assist with an investigation. That process concluded on March 5, 2025, identifying individuals whose data may have been exposed.
Exposed data may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnosis and treatment details, health insurance information, and COVID-19 vaccination status. On March 27, 2025, Georgia Urology began notifying affected patients through mailed letters.
What was said
The Georgia Urology public breach notice states, “There is no evidence of the misuse, or attempted misuse of any information potentially involved in this incident. However, on March 27, 2025, we sent notification letters to the individuals potentially involved in this incident providing them information about what happened and steps they can take to protect their personal information.”
The organization further stated, “We take the security of personal and/or protected health information very seriously and are taking steps to prevent a similar event from occurring in the future, including increasing our information security policies and posture.”
Affected individuals were also informed that a toll-free call center has been established to address questions and concerns. The line is available Monday through Friday from 8:00 a.m. to 8:00 p.m. ET at 1-833-998-7776.
In the know
Many healthcare organizations, like Georgia Urology, still rely on standard email platforms that lack advanced encryption or threat detection, making inboxes an easy entry point for attackers.
Using a HIPAA compliant email solution, like Paubox, can help organizations mitigate the risk of unauthorized access. More specifically, it offers automatic encryption, keeping data unreadable even if an account is compromised.
Paubox also integrates directly into existing workflows, allowing secure communication without unnecessary steps like manual encryption or navigating an inconvenient patient portal.
Go deeper: Why patient portals are inconvenient: An evidence-based perspective
Why it matters
Relying on basic email systems without proper encryption exposes patient data to fraud, theft, and other risks. Healthcare organizations must use HIPAA compliant emails to prevent unauthorized PHI access and uphold federal regulations.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
