After an employee set up a mail forwarder to broadcast emails to a personal email account, Choice Rehabilitation of Creve Coeur, MO has discovered an unauthorized person illegally logged into a that corporate email account.
The breach took place on July 1, 2018 and the mail forwarder was enabled until September 30, 2018. A detailed review of the email account showed the protected health information of certain residents was included in billing documents attached to emails that had been broadcast to its associated skilled nursing centers.
Highly sensitive information including financial data, Social Security numbers, Medicare and Medicaid numbers, birth dates and contact information remained constantly safeguarded. The breach was restricted to billing data connected to physical, speech, and occupational therapy given to patients such as names, payor details, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was given.
Upon noticing the breach, access to the compromised email account was terminated, the mail forwarder was disabled and the personal email account used by the hacker has been deactivated. Choice Rehabilitation alerted other corporate users regarding the breach and reminded them of security safeguards to stop unauthorized account access. Security awareness training will continue to be regularly provided to staff members. Enhanced safeguards have also been put in place to improve email and network security and monitoring of corporate emails accounts has been strengthened.
Choice Rehabilitation has seen any evidence to suggest the forwarded emails were opened by the hacker. Due to the nature of the PHI that was possibly accessed, Choice Rehabilitation is of the opinion the risk of PHI misuse is minimal.
The breach report on the Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal states that up to 4,309 people have possibly been impacted.