4,309 Choice Rehabilitation Residents Impacted by Email Account Breach

Choice Rehabilitation of Creve Coeur, MO has announced that an unauthorized person has gained access to an employee’s corporate email account and created a mail forwarder to send emails to a personal email account.

The breach initially occurred on July 1, 2018 and the mail forwarder continued to be active up to September 30, 2018. A comprehensive analysis of the email account showed the protected health information (PHI) of a number of residents was recorded in billing documents attached to some email messages. Those messages had been sent to its affiliated skilled nursing facilities.

The exposed PHi was limited to billing data associated with physical, speech, and occupational therapy given to patients. That information was typically names, medical record numbers, payor details, therapy start and end dates, diagnoses, treatment details, billing codes and the care facility name.

When the breach was discovered, Choice Rehabilitation blocked access to the compromised email account and deactivated the mail forwarder and subsequently, the personal email account that the attacker used was deactivated. Choice Rehabilitation informed other corporate users about the breach to alert them to the risk of further attempts to gain access to corporate email accounts and further email security and HIPAA training will continue to be provided to employees. Choice Rehabilitation has also upgraded email and system security and corporate email accounts will be more closely monitored in the future.

Choice Rehabilitation does not believe the risk of PHI misuse to be high due to the type of information that was compromised.

Choice Rehabilitation has reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The breach report shows that the PHI of 4,309 patients was exposed.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/