Choice Rehabilitation of Creve Coeur, MO has announced that an unauthorized person has gained access to an employee’s corporate email account and created a mail forwarder to send emails to a personal email account.
The breach initially occurred on July 1, 2018 and the mail forwarder continued to be active up to September 30, 2018. A comprehensive analysis of the email account showed the protected health information (PHI) of a number of residents was recorded in billing documents attached to some email messages. Those messages had been sent to its affiliated skilled nursing facilities.
The exposed PHi was limited to billing data associated with physical, speech, and occupational therapy given to patients. That information was typically names, medical record numbers, payor details, therapy start and end dates, diagnoses, treatment details, billing codes and the care facility name.
When the breach was discovered, Choice Rehabilitation blocked access to the compromised email account and deactivated the mail forwarder and subsequently, the personal email account that the attacker used was deactivated. Choice Rehabilitation informed other corporate users about the breach to alert them to the risk of further attempts to gain access to corporate email accounts and further email security training will continue to be provided to employees. Choice Rehabilitation has also upgraded email and system security and corporate email accounts will be more closely monitored in the future.
Choice Rehabilitation does not believe the risk of PHI misuse to be high due to the type of information that was compromised.
Choice Rehabilitation has reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The breach report shows that the PHI of 4,309 patients was exposed.