Malicious Actor Steals Patient Data from Multiple Ernest Health Hospitals
Ernest Health, the operator of rehabilitation and long-term acute care hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming, has started notifying patients about a recent data security incident involving their personal and protected health information.
Ernest Health identified unauthorized activity in its computer systems on February 1, 2024, and the forensic investigation confirmed there had been unauthorized access to systems containing patient data between January 16, 2024, and February 4, 2024, and files were acquired in the attack that included patient information. For the majority of the affected individuals, the compromised data was limited to names, addresses, dates of birth, medical record numbers, health insurance plan member IDs, claims data, diagnosis, and prescription information. Some patients also had their Social Security and/or driver’s license numbers compromised.
The security incident affected patients at multiple hospitals in the network, including:
| Affected Ernest Health Hospital | State | Individuals Affected |
| Advanced Care Hospital of Montana | MT | 2,331 |
| Advanced Care Hospital of Southern New Mexico | NM | 1,162 |
| Bakersfield Rehabilitation Hospital | CA | 852 |
| Bloomington Regional Rehabilitation Hospital | IN | 1,191 |
| Corpus Christi Rehabilitation Hospital | TX | 3,581 |
| Denver Regional Rehabilitation Hospital | CO | 848 |
| Elkhorn Valley Rehabilitation Hospital | WY | 3,636 |
| Greenwood Regional Rehabilitation Hospital | SC | 5,823 |
| Lafayette Regional Rehabilitation Hospital | IN | 2,861 |
| Laredo Rehabilitation Hospital | TX | 1,785 |
| Laredo Specialty Hospital | TX | 1,242 |
| Mesquite Rehabilitation Institute | TX | 3,317 |
| Mesquite Specialty Hospital | TX | 1,244 |
| Midlands Regional Rehabilitation Hospital | SC | 2,018 |
| Mountain Valley Regional Rehabilitation Hospital | AZ | 5,963 |
| New Braunfels Regional Rehabilitation Hospital | TX | 5,384 |
| Northern Colorado Long Term Acute Hospital | CO | 4,335 |
| Northern Colorado Rehabilitation Hospital | CO | 885 |
| Northern Idaho Advanced Care Hospital | ID | 5,606 |
| Northern Utah Rehabilitation Hospital | UT | 3,477 |
| Rehabilitation Hospital of Northern Arizona | AZ | 3,287 |
| Rehabilitation Hospital of Northern Indiana | IN | 1,643 |
| Rehabilitation Hospital of Northwest Ohio | OH | 3,671 |
| Rehabilitation Hospital of Southern California | CA | 925 |
| Rehabilitation Hospital of Southern New Mexico | NM | 5,466 |
| Rehabilitation Hospital of the Northwest | ID | 3,821 |
| South Texas Rehabilitation Hospital | TX | 4,130 |
| Spartanburg Rehabilitation Institute | SC | 4,506 |
| Summa Rehabilitation Hospital | OH | 2,986 |
| Trustpoint Rehabilitation Hospital of Lubbock | TX | 9,014 |
| Utah Valley Rehabilitation Hospital | UT | 1,642 |
| Weslaco Regional Rehabilitation Hospital | TX | 2,781 |
Notification letters started to be mailed to the affected individuals on March 29, 2024, and complimentary credit monitoring and identity theft protection services have been offered for two years. The data breach has been reported to regulators, and based on the breach reports that are currently showing on the HHS’ Office for Civil Rights breach portal, at least 101,413 individuals have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
