It has been found that an unauthorized individual hacked into a corporate email account of one of the employees of Choice Rehabilitation of Creve Coeur, MO, in order to set up a mail forwarder which shares emails to a personal email account.
The breach happened on July 1, 2018 and the mail forwarder was left switched on until until September 30, 2018. A complete review the email account showed that the protected health information of certain residents was sent in tandem with billing documents attached to emails that had been shared with its associated skilled nursing facilities.
Private personal information including financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth and contact detail information were protect through the duration of the breach. The breach was kept to billing data related to physical, speech, and occupational therapy provided to patients including names, payor information, medical record numbers, start and finish dates of therapy, diagnoses, treatment information, billing codes and the location name of the facility where care was given.
After finding the breach, access to the compromised email account was deactivated, the mail forwarder was put to a halt, and the personal email account used by the attacker has been disabled. Choice Rehabilitation made contact with other corporate users to make them aware of the breach, advising them of security safeguards to stop unauthorized account access. Additional security awareness training will be provided on an ongoing basis to staff members. There have also been new safeguards put in placeto strengthen email and network security and monitoring of corporate emails accounts has been kicked up a notch.
No one has made contact and there has been nothing to suggest that the forwarded emails were opened by the attacker. Choice Rehabilitation believes the risk of PHI misuse is minimal in this instance due to the nature of the data breached.
An officially submitted breach report on the Department of Health and Human Services’ Office for Civil Rights breach portal states that almost 4,309 individuals have potentially been impacted by the hacking incident.