The following notice from Choice Rehabilitation is dated December 18, 2018, but first appeared in STLToday on December 31, 2018:
December 18, 2018
Choice Rehabilitation of Creve Coeur, MO notified more than 500 residents of a breach of unsecured resident health information after discovering the following event:
On November 7, 2018, Choice Rehabilitation, (Choice) discovered that a corporate email account had been hacked. The hacker gained unauthorized access and was able to forward emails to a personal account which was later deactivated. It is not known whether the hacker has viewed the emails. In a detailed review of emails, Choice identified billing documents that were sent to associated skilled nursing facilities which included personal information relating to patients and the therapy services they received.
After consulting with Microsoft, Choice believes that this suspicious activity from July 1, 2018 through September 30, 2018.
Currently, there is no indication that there has been any use of the disclosed health information. Nevertheless, Choice has provided a notice to each patient out of an abundance of caution because their information was available through an attachment within an email and potential access to or acquisition of that information, before the account was locked down, could not be definitively ruled out.
There was no highly sensitive information such as personal contact information, Social Security numbers, dates of birth, Medicare/Medicaid numbers or any financial data included in the hacked emails . The emails did include billing information for physical, occupational and speech therapy. Personal information related to this billing included the patient’s full name, patient’s facility medical record #, payor such as Medicare, start and end of therapy care dates, medical and treatment diagnosis, therapy billing codes including minutes and the facility name. Choice believes there is a low probability of reputational or financial harm to the patient with this limited information. In conjunction with the contracted skilled nursing facilities and security experts, Choice and the associated facilities are working to notify impacted residents to mitigate the potential damages of the breach.
Upon discovering this incident, Choice took immediate action to secure the impacted email account and further alerted other corporate email account users of security safeguards that will be monitored and additional safeguards that have been implemented. In a notification to residents and/or their responsible party, Choice has offered their resources as well as informed the individuals of steps they should take to protect themselves from potential harm resulting from the breach.
Finally, Choice has taken security measures to strengthen its’ network against similar incidents in the future.
Choice Rehabilitation understands the importance of safeguarding residents’ personal information and takes that responsibility very seriously. We regret that this incident has occurred, and we are committed to safeguarding resident information from future unauthorized access. Steps are underway to further improve the security of its operations and we will continue to provide reminders and training for employees to avoid being victimized by hackers and phishing emails in the future to the extent possible.
Contact Choice Rehabilitation’s Compliance Officer toll free at 855900-0855 from 8 AM and 5 PM or email greeves@ choicerehab.net with questions related to the breach.
(Originally published in the St. Louis Post-Dispatch for 12/31/2018)
Noteworthy: 2 Entities using insecure communications to transfer ePHI.