Choice Rehabilitation of Creve Coeur, Missouri, has released a statement announcing that a security incident has compromised the sensitive data of over 4,300 patients.
The breach was discovered on November 7, 2018, when it was discovered that one of its employee’s email accounts had been hacked. The hackers were then forwarding emails, which contained sensitive patient information, to their personal accounts. Once the breach was discovered, the compromised email account was deactivated.
Choice Rehabilitation’s statement about the breach is available on databraeches.net, but was first posted on STLToday on 31 December, 2019.
According to the statement, Choice contacted Microsoft, their email provider, and an investigation into the breach was launched. It was determined that the hacker had access to the data for three months, from July 1 through September 30, 2018.
“In a detailed review of emails, Choice identified billing documents that were sent to associated skilled nursing facilities which included personal information relating to patients and the therapy services they received,” the official statement read. This billing data was restricted to treatments such as physical, speech, and occupational therapy, and included information such as payor details, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was given.
Other protected health information (PHI) such as financial data, Social Security numbers, Medicare and Medicaid numbers, birth dates and contact information were not affected by the breach.
Following the breach, Choice Rehabilitation alerted other corporate users of the email service of the breach and reminded them of security safeguards to stop unauthorized account access. Security awareness training will continue to be regularly provided to staff members. Enhanced safeguards have also been put in place to improve email and network security and monitoring of corporate emails accounts has been strengthened.
The breach announcement report states that “currently, there is no indication that there has been any use of the disclosed health information”, and that due to the nature of the data stolen in the breach, there is a “low probability of reputational or financial harm to the patient”.
However, as those affected by a data breach are at heightened risk of identity fraud, Choice has recommended caution should be taken and any suspicious activity on accounts should be reported to the appropriate authorities. In accordance with HIPAA’s Breach Notification Rule, breach notification letters have been sent to all affected patients.
The breach report on the Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal states that up to 4,309 people have possibly been impacted.
Due to the high black-market value of PHI, healthcare facilities are frequently the target of cyberattacks by criminals looking to make a profit. This case highlights the importance of regularly checking email systems to ensure that no unauthorised individuals have gained access to sensitive information.