Neurological Institute of Savannah Data Breach Affects 32,548 Patients

The Neurological Institute of Savannah & Center for Spine, P.C., also known as The Neurosurgical & Spine Institute of Savannah, has disclosed a significant data breach that compromised the personal information of 32,548 patients. The Georgia-based healthcare provider reported the incident to the Department of Health and Human Services on May 1, 2025, making it one of the larger healthcare data breaches reported this year.

What Happened

According to the breach notification released on April 15, 2025, The Neurological Institute of Savannah ("NeuroSav") experienced a cybersecurity incident that lasted nearly two months. Between June 1, 2024, and July 21, 2024, an unauthorized party gained access to certain electronic files on the neurosurgical practice's network server.

The breach was classified as a hacking/IT incident, with the compromise occurring on the organization's network server infrastructure. While the healthcare provider has acknowledged the unauthorized access, specific technical details about the attack methodology have not been disclosed in the available documentation.

The extended timeline of the breach—lasting approximately seven weeks—suggests that the unauthorized access may have gone undetected for a significant period, potentially allowing threat actors substantial time to navigate the network and access sensitive patient information.

Who Is Affected

The data breach has impacted 32,548 individuals who received care or services from The Neurological Institute of Savannah & Center for Spine, P.C. This includes patients who may have visited the practice for:

• Neurological consultations and treatments
• Spine surgery procedures
• Neurosurgical services
• Related medical care and follow-up appointments

Given the specialized nature of neurological and spine care, many affected patients likely received ongoing treatment requiring extensive medical documentation, potentially making the exposed information particularly sensitive.

Breach Details

The breach was reported to the HHS Office for Civil Rights on May 1, 2025, placing it on the federal "Wall of Shame" database that tracks healthcare data breaches affecting 500 or more individuals. The incident originated from the healthcare provider's network server, indicating that the compromise occurred at the infrastructure level rather than through individual devices or email systems.

While the specific types of information accessed have not been detailed in the available breach notice, healthcare data breaches of this nature typically involve:

• Patient names and contact information
• Medical record numbers
• Treatment information and diagnoses
• Insurance details
• Social Security numbers
• Date of birth information

The fact that law firm Strauss Borrelli PLLC is investigating the breach suggests potential legal implications and the possibility of class action litigation, which is common in large-scale healthcare data breaches.

What This Means for Patients

For the 32,548 affected individuals, this breach represents a significant privacy violation that could have lasting consequences. Patients whose information was compromised may face:

Identity Theft Risk: If Social Security numbers and other identifying information were accessed, patients could become victims of identity theft or fraud.

Medical Identity Theft: Cybercriminals may use stolen medical information to obtain healthcare services fraudulently, potentially affecting patients' medical records and insurance coverage.

Privacy Concerns: Sensitive neurological and spine treatment information could be exposed, creating personal and professional embarrassment or discrimination concerns.

Financial Impact: Patients may need to invest in credit monitoring services and may face costs associated with identity theft recovery.

The involvement of a data breach law firm investigating the incident indicates that affected patients may have legal recourse, including potential compensation for damages resulting from the breach.

How to Protect Yourself

If you are a patient of The Neurological Institute of Savannah or believe you may be affected by this breach, consider taking these protective steps:

Monitor Your Accounts: Regularly review credit reports, bank statements, and insurance explanation of benefits for suspicious activity.

Enable Fraud Alerts: Contact credit reporting agencies to place fraud alerts on your credit files.

Watch for Phishing: Be cautious of unsolicited communications requesting personal or medical information, as cybercriminals often use stolen data for targeted phishing attacks.

Review Medical Records: Check your medical records and insurance statements for services you didn't receive, which could indicate medical identity theft.

Document Everything: Keep records of any suspicious activity or costs incurred due to the breach, as this information may be valuable for potential legal claims.

Stay Informed: Monitor updates from the healthcare provider and consider consulting with legal counsel if you believe you've suffered damages.

Prevention Lessons for Healthcare Providers

This breach highlights critical cybersecurity vulnerabilities that healthcare organizations must address:

Network Security: Healthcare providers must implement robust network monitoring and intrusion detection systems to identify unauthorized access quickly.

Access Controls: Implementing proper access controls and network segmentation can limit the scope of potential breaches.

Regular Security Assessments: Conducting frequent penetration testing and vulnerability assessments can identify weaknesses before they're exploited.

Employee Training: Staff education about cybersecurity threats and proper data handling procedures is essential for preventing successful attacks.

Incident Response Planning: Having a comprehensive incident response plan can minimize the duration and impact of security breaches.

HIPAA Compliance: Maintaining ongoing HIPAA compliance through regular risk assessments and security updates is not just a legal requirement but a critical patient protection measure.

The seven-week duration of unauthorized access in this case demonstrates the importance of continuous monitoring and rapid detection capabilities. Healthcare organizations cannot afford to have breaches go undetected for extended periods.

Moving Forward

The Neurological Institute of Savannah breach serves as another reminder of the persistent cybersecurity threats facing healthcare organizations. As investigation continues and potentially more details emerge, this incident will likely influence cybersecurity practices across the healthcare industry.

For healthcare providers, this breach underscores the critical importance of proactive cybersecurity measures and HIPAA compliance. The cost of prevention is invariably less than the cost of remediation, legal fees, and reputation damage following a major data breach.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.