Data Breach at Choice Rehabilitation Affects 4,300 Patients

Choice Rehabilitation of Creve Coeur, Missouri, has released a statement announcing that a security incident has compromised the sensitive data of over 4,300 patients.

The breach was discovered on November 7, 2018, when it was discovered that one of its employee’s email accounts had been hacked. The hackers were then forwarding emails, which contained sensitive patient information, to their personal accounts. Once the breach was discovered, the compromised email account was deactivated.

Choice Rehabilitation’s statement about the breach is available on, but was first posted on STLToday on 31 December, 2019.

According to the statement, Choice contacted Microsoft, their email provider, and an investigation into the breach was launched. It was determined that the hacker had access to the data for three months, from July 1 through September 30, 2018.

“In a detailed review of emails, Choice identified billing documents that were sent to associated skilled nursing facilities which included personal information relating to patients and the therapy services they received,” the official statement read. This billing data was restricted to treatments such as physical, speech, and occupational therapy, and included information such as payor details, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was given.

Other protected health information (PHI) such as financial data, Social Security numbers, Medicare and Medicaid numbers, birth dates and contact information were not affected by the breach.

Following the breach, Choice Rehabilitation alerted other corporate users of the email service of the breach and reminded them of security safeguards to stop unauthorized account access. Security awareness training will continue to be regularly provided to staff members. Enhanced safeguards have also been put in place to improve email and network security and monitoring of corporate emails accounts has been strengthened.

The breach announcement report states that “currently, there is no indication that there has been any use of the disclosed health information”, and that due to the nature of the data stolen in the breach, there is a “low probability of reputational or financial harm to the patient”.

However, as those affected by a data breach are at heightened risk of identity fraud, Choice has recommended caution should be taken and any suspicious activity on accounts should be reported to the appropriate authorities. In accordance with HIPAA’s Breach Notification Rule, breach notification letters have been sent to all affected patients.

The breach report on the Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal states that up to 4,309 people have possibly been impacted.

Due to the high black-market value of PHI, healthcare facilities are frequently the target of cyberattacks by criminals looking to make a profit. This case highlights the importance of regularly checking email systems to ensure that no unauthorised individuals have gained access to sensitive information.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at