The protected health information of more than 35,000 patients of ATI Physical Therapy has has potentially been compromised by a cyber attack that occurred when hackers obtained access to staff email accounts.
A security violation was discovered on January 18, 2018 when ATI Physical Therapy saw that the direct deposit information of some of its staff members had been altered in its payroll platform. Quick action was taken to remove danger for employees and external forensic investigative consultant were called in to determine the full extent and scope of the violation.
Evidence found in the investigation showed that the email accounts of certain staff members had been compromised and were accessed by unauthorized persons between January 9 and January 12, 2018. A review of the emails in the accounts showed they held the protected health information of tens of thousands of patients.
The variety of information potentially compromised ranged per impacted person, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID details, Social Security numbers, Medicare/Medicaid data, health insurance information, billing history/claims information, medical record numbers, patient ID numbers, financial account specifics, disability codes, diagnoses, treatment details, prescription information, and physicians’ and therapists’ identities.
ATI Physical Therapy rhas revealed that just a small number of patients had their Social Security numbers placed in danger.
Persons affected by the phishing attack have now been contacted by mail and have been offered complimentary credit monitoring services. Patients will also be provided with a $1 million identity theft insurance policy. Nothing to suggest misuse of information has been found by ATI Physical Therapy of the consultant forensic investigators.
ATI Physical Therapy’s review into the HIPAA breach is currently ongoing and measures have been taken to improve email security to prevent future violations and staff members have been given with further training to help them find phishing emails.
35,136 patients according to the Department of Health and Human Services’ Office for Civil Rights breach report, may have had their protected health information impacted.