Norwood Clinic Data Breach

Norwood Clinic Data Breach

Pittman, Dutton, Hellums, Bradley & Mann, P.C., a Birmingham, Alabama based law firm experienced in data breach and consumer class action cases, is investigating claims on behalf of victims of a healthcare data breach involving Norwood Clinic, a multispecialty medical group of 25 physicians headquartered in Fultondale, Alabama.

On March 8, 2022, Norwood Clinic began sending Notice of Data Security Incident letters to 228,103 current and former patients whose personal identifiable information (“PII”) and protected health information (“PHI”) was accessed by an unauthorized third party[1]. Here is a copy of the data breach notification letter sent by Norwood  Clinic:

If you received this letter, please contact our office at (205) 322-8880 as soon as possible to discuss your potential legal rights and remedies.

What Information Was Accessed?

This data breach is significant because the unauthorized third party (hackers) accessed a server containing patients’ sensitive data including:

  1. Personal identifiable information (“PII”) (such as name, contact information, date of birth Social Security Number, Drivers license number); and
  2. Protected health information (“PHI”) (such as limited health information and/or health insurance policy number).

When Did the Data Breach Occur?

The hackers obtained access into Norwood Clinic’s systems for 32 days, from September 20, 2021, until on October 22, 2021, when Norwood Clinic finally discovered the breach.

However, Norwood Clinic failed to immediately disclose the data breach and waited 126 days later, on February 25, 2022, when they informed the United States Health and Human Services Office of Civil Rights.

The scope of the breach coupled with the amount of time it took Norwood Clinic to discover it shows a real lack of security and responsibility for their patients’ sensitive information.

What Caused the Norwood Clinic Data Breach?

According to Norwood Clinic in its reports to governmental entities including the Maine and Massachusetts Attorney Generals and U.S. Department of Health and Human Services Office of Civil Rights, on September 20, 2021, an unauthorized party gained access to Norwood Clinic servers storing patient information.[2] Norwood Clinic did not discover the breach until October 22, 2021.[3] Norwood Clinic did not begin notifying victims of this security incident until March 8, 2022.[4]

What Information Was Impacted in the Data Breach?

Information stored on the affected servers included:

  • Names
  • Contact information
  • Dates of birth
  • Social Security numbers
  • Driver’s License numbers
  • Health information
  • Health insurance policy numbers[5]

How Many People Are Impacted by the Data Breach?

Approximately 228,103 current and former patients had their personal information compromised in the Norwood Clinic data breach.[6]

How Can I Tell If My Data Was Stolen?

There are several steps you can take to check if your data was affected:

  • Be on the lookout for updates: Watch your email to see if you receive the letter mentioned above or any updates/additional information.
  • Watch out for phishing attempts: However, be wary of scammers claiming to be from Norwood Clinic asking you to provide information or click on a link. If in doubt, contact the company or consult with a lawyer.
  • Monitor your account activity: Check suspicious charges on your statements. Scammers and identity theft perpetrators often test with smaller charges before charging large bills.

What Should I Do if I Received Notification of the Norwood Clinic Data Breach? How Do I Pursue Legal Recourse?

The scope of the breach coupled with the amount of time it took Norwood Clinic to discover it shows a real lack of security and responsibility for their patients’ sensitive information. Norwood Clinic admitted to state and national authorities that hackers had access to ~228,000 patients’ PII and PHI for over a month, and then waited four months to inform the victims.

From our experience, we anticipate speaking with current and former Norwood Clinic patients who are now victims of identity theft and financial fraud due to no fault of their own. Each patient is at an increased risk of identity theft and must spend time to establish safeguards and monitor their credit profiles and financial accounts. It’s not an easy process and we’re happy to provide tips to anyone who needs help or they can call and receive a free confidential consultation.

If you would like to have a free, confidential consultation with an attorney to learn more about your rights and potential legal remedies in responding to the Norwood Clinic data breach, please call or text Pittman, Dutton, Hellums, Bradley & Mann, P.C. attorneys Jon Mann or Austin Whitten at (205) 322-8880, or email us at jon@pittmandutton.com or austinw@pittmandutton.com, or submit a Case Evaluation request through the form on the side of the page.