Cyber Incident Victim: Northeast Rehabilitation Hospital Network
Date:
Sep 2021
Location:
United States of America
Summary
Northeast Rehabilitation Hospital Network experienced a hacking incident involving unauthorized system access discovered in late September 2021, with the intrusion ending several days later. The organization initially reported over 500 affected individuals to federal regulators before confirming nearly 190,200 impacted patients in subsequent state filings. Compromised data included names, addresses, birthdates, Social Security numbers, driver's license details, and financial account information. The entity began notifying patients through website announcements and media press releases approximately two months after detecting the breach while coordinating disclosures with health authorities and state regulators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 30, 2021, Northeast Rehabilitation Hospital Network (NRHN) in New Hampshire discovered unauthorized access to their systems. The unauthorized activity persisted until October 5, 2021, marking a six-day period of compromise. NRHN initially reported the incident to the U.S. Department of Health and Human Services (HHS) on November 29, 2021, classifying it as a hacking/IT incident involving network server data. At that time, they estimated the breach affected 501 individuals—a placeholder figure commonly used when entities confirm more than 500 affected persons but lack complete impact assessment. The organization began notifying patients through website postings and media press releases concurrent with their HHS filing.
Nearly nine months later on August 24, 2022, NRHN submitted updated breach details to the Maine Attorney General’s Office, revealing the full scope. The final confirmed impact extended to 190,220 individuals, exposing multiple categories of sensitive data. Compromised information included full names, physical addresses, dates of birth, driver’s license numbers, Social Security numbers, and financial account details. No evidence suggested data misuse beyond the initial unauthorized access period. The hospital network maintained public notification through established channels without disclosing specific technical details about the attack vector or containment measures beyond the October 5 access termination. Regulatory filings confirmed the incident remained confined to electronic systems without physical record involvement.