DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IvyRehab reports data security breach after employee email accounts compromised

Posted on November 28, 2019 by Dissent

Update: This incident was subsequently reported to HHS as affecting 125,000 patients.

Lee News reports:

BLOOMINGTON — Ivy Rehab Physical Therapy, which has locations in Bloomington, Decatur and Clinton, has reported a data security breach and offering free credit monitoring to concerned patients.

[…]

In May, the company discovered some employee email accounts may have been compromised. Investigators in September found the accounts may have contained information about current and former patients. There is no evidence of misuse.

Read more on Herald & Review.

The full notice, which appears on the network’s website and is cited below does not reveal when the compromise first occurred — only that they first discovered some evidence of compromise in May, 2019. Nor does the notice indicate how many patients, total, are potentially impacted:

WHITE PLAINS, NEW YORK – November 26, 2019 – Ivy Rehab has become aware of a data security incident that may have resulted in unauthorized access to patient information. At this time, there is no evidence of any attempted or actual misuse of any patient information.  However, we are notifying any patient whose information may have been accessed in order to provide details of the incident, our response to the incident, and resources to help protect any patients in the event they were affected. Your trust is a top priority at Ivy Rehab, and we sincerely apologize for any inconvenience or concern this incident may cause you.

In May of 2019, we found evidence to suggest that a limited number of Ivy Rehab employee email accounts may have been inappropriately accessed.  We immediately notified our information technology team, who undertook an investigation and found additional evidence that certain employee email accounts were accessed by unknown unauthorized parties. Subsequently, we engaged an industry-leading computer forensic firm to investigate the nature and extent of the unauthorized access to our email system. The investigation identified certain employee email accounts that were potentially accessed by unauthorized parties as a result of a presumed phishing campaign targeting our employees.

On September 26, 2019, after a search of the contents of the affected email accounts, we discovered that the accessed email accounts may have contained patient information about some of our current and former patients including patients’ first and last names in combination with one or more of the following attributes: protected health information, Social Security numbers, and financial account information. Once again, we have no evidence of misuse of anyone’s information as a consequence of this incident.  Nonetheless, we are informing our patients of this incident out of an abundance of caution.

In light of this incident, we are offering complimentary identity theft restoration and credit monitoring services through Equifax to help protect any impacted current and/or former patients for a certain period of time. If you think your information may be at risk, please call (833) 935-1376 Monday through Friday, 9:00 am to 9:00 p.m. Eastern Time.

At Ivy we take data privacy and security very seriously and are actively taking steps to guard against something like this from happening again. Such steps include, but are not limited to, requiring frequent password changes, providing all staff with ongoing security awareness training, and always working cooperatively with related government agencies. We have and will continue to proactively invest our resources to improve our data protection capabilities.  We sincerely regret any inconvenience or concern that this matter may cause you and remain dedicated to ensuring the privacy and security of all information in our control.

Sincerely,
Jeffrey Wells, Esq., CHC, OHCC
Chief Compliance Officer and Privacy Officer
IvyRehab Physical Therapy

Category: Health DataPhishingU.S.

Post navigation

← Hackers steal USD 49 million in cryptocurrency from Upbit
Montgomery County Public Schools incident was bigger than initially thought: UPDATE →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.