It has been found that an unauthorized individual hacked into a corporate email account of one of the employees of Choice Rehabilitation of Creve Coeur, MO, in order to set up a mail forwarder which shares emails with a personal email account.
The breach happened on July 1, 2018 and the mail forwarder was left switched on until September 30, 2018. A complete review the email account showed that the protected health information of certain residents was included in billing documents attached to emails that had been shared with its associated skilled nursing facilities.
Private personal information was compromised including financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth, and contact information were not compromised. The breach was limited to medical record numbers, start and finish dates of therapy, diagnoses, treatment information, billing codes and the location name of the facility where care was given.
After finding the breach, access to the compromised email account was deactivated, the mail forwarder was removed, and the personal email account used by the attacker has been disabled. Choice Rehabilitation made contact with other corporate users to make them aware of the breach, advising them of security safeguards that should be implemented to stop unauthorized account access. Additional security awareness training will be provided on an ongoing basis to staff members. There have also been new safeguards put in place to strengthen email and network security and monitoring of corporate emails accounts has been kicked up a notch.
No evidence was found to suggest patient information has been misused. Choice Rehabilitation believes the risk of PHI misuse is minimal in this instance due to the nature of the data breached.
An officially submitted breach report on the Department of Health and Human Services’ Office for Civil Rights breach portal states that almost 4,309 individuals have potentially been impacted by the hacking incident.