Thousands of Choice Rehabilitation Residents Affected by Email Account Breach

by | Jan 7, 2019

After an employee set up a mail forwarder to broadcast emails to a personal email account, Choice Rehabilitation of Creve Coeur, MO has discovered an unauthorized person illegally logged into a that corporate email account.

The breach took place on July 1, 2018 and the mail forwarder was enabled until September 30, 2018. A detailed review of the email account showed the protected health information of certain residents was included in billing documents attached to emails that had been broadcast to its associated skilled nursing centers.

Highly sensitive information including financial data, Social Security numbers, Medicare and Medicaid numbers,  birth dates and contact information remained constantly safeguarded. The breach was restricted to billing data connected to physical, speech, and occupational therapy given to patients such as names, payor details, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was given.

Upon noticing the breach, access to the compromised email account was terminated, the mail forwarder was disabled and the personal email account used by the hacker has been deactivated. Choice Rehabilitation alerted other corporate users regarding the breach and reminded them of security safeguards to stop unauthorized account access. Security awareness training will continue to be regularly provided to staff members. Enhanced safeguards have also been put in place to improve email and network security and monitoring of corporate emails accounts has been strengthened.

Choice Rehabilitation has seen any evidence to suggest the forwarded emails were opened by the hacker. Due to the nature of the PHI that was possibly accessed, Choice Rehabilitation is of the opinion the risk of PHI misuse is minimal.

The breach report on the Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal states that up to 4,309 people have possibly been impacted.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy