Email Account Breach Impacts Thousands of Choice Rehabilitation Residents

Choice Rehabilitation of Creve Coeur, MO, has discovered an unauthorized individual hacked into a corporate email account of one of its employees and set up a mail forwarder to send emails to a personal email account.

The breach occurred on July 1, 2018 and the mail forwarder remained active until September 30, 2018. A detailed analysis of the email account revealed the protected health information of certain residents was included in billing documents attached to emails that had been sent to its associated skilled nursing facilities.

Highly sensitive information such as financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth and contact information remained secure at all times. The breach was limited to billing information related to physical, speech, and occupational therapy provided to patients such as names, payor information, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was provided.

Upon discovery of the breach, access to the compromised email account was blocked, the mail forwarder was deactivated, and the personal email account used by the attacker has been deactivated. Choice Rehabilitation alerted other corporate users about the breach and reminded them of security safeguards to prevent unauthorized account access. Security awareness training will continue to be regularly provided to employees. Additional safeguards have also been implemented to improve email and network security and monitoring of corporate emails accounts has been stepped up.

Choice Rehabilitation has not received any information to suggest the forwarded emails were opened by the attacker. Due to the nature of the PHI that was potentially accessed, Choice Rehabilitation believes the risk of PHI misuse is low.

The breach report on the Department of Health and Human Services’ Office for Civil Rights breach portal indicates up to 4,309 individuals have potentially been affected by the incident.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.