Update: This incident was subsequently reported to HHS as affecting 125,000 patients.
Lee News reports:
BLOOMINGTON — Ivy Rehab Physical Therapy, which has locations in Bloomington, Decatur and Clinton, has reported a data security breach and offering free credit monitoring to concerned patients.
[…]
In May, the company discovered some employee email accounts may have been compromised. Investigators in September found the accounts may have contained information about current and former patients. There is no evidence of misuse.
Read more on Herald & Review.
The full notice, which appears on the network’s website and is cited below does not reveal when the compromise first occurred — only that they first discovered some evidence of compromise in May, 2019. Nor does the notice indicate how many patients, total, are potentially impacted:
WHITE PLAINS, NEW YORK – November 26, 2019 – Ivy Rehab has become aware of a data security incident that may have resulted in unauthorized access to patient information. At this time, there is no evidence of any attempted or actual misuse of any patient information. However, we are notifying any patient whose information may have been accessed in order to provide details of the incident, our response to the incident, and resources to help protect any patients in the event they were affected. Your trust is a top priority at Ivy Rehab, and we sincerely apologize for any inconvenience or concern this incident may cause you.
In May of 2019, we found evidence to suggest that a limited number of Ivy Rehab employee email accounts may have been inappropriately accessed. We immediately notified our information technology team, who undertook an investigation and found additional evidence that certain employee email accounts were accessed by unknown unauthorized parties. Subsequently, we engaged an industry-leading computer forensic firm to investigate the nature and extent of the unauthorized access to our email system. The investigation identified certain employee email accounts that were potentially accessed by unauthorized parties as a result of a presumed phishing campaign targeting our employees.
On September 26, 2019, after a search of the contents of the affected email accounts, we discovered that the accessed email accounts may have contained patient information about some of our current and former patients including patients’ first and last names in combination with one or more of the following attributes: protected health information, Social Security numbers, and financial account information. Once again, we have no evidence of misuse of anyone’s information as a consequence of this incident. Nonetheless, we are informing our patients of this incident out of an abundance of caution.
In light of this incident, we are offering complimentary identity theft restoration and credit monitoring services through Equifax to help protect any impacted current and/or former patients for a certain period of time. If you think your information may be at risk, please call (833) 935-1376 Monday through Friday, 9:00 am to 9:00 p.m. Eastern Time.
At Ivy we take data privacy and security very seriously and are actively taking steps to guard against something like this from happening again. Such steps include, but are not limited to, requiring frequent password changes, providing all staff with ongoing security awareness training, and always working cooperatively with related government agencies. We have and will continue to proactively invest our resources to improve our data protection capabilities. We sincerely regret any inconvenience or concern that this matter may cause you and remain dedicated to ensuring the privacy and security of all information in our control.
Sincerely,
Jeffrey Wells, Esq., CHC, OHCC
Chief Compliance Officer and Privacy Officer
IvyRehab Physical Therapy