Cyber Incident Victim: Rehabilitation Hospital of Northwest Ohio
Date:
Oct 2018
Location:
United States of America
Summary
Unauthorized access to employee email accounts at an Ohio rehabilitation hospital compromised patient data, including names, Social Security numbers, driver’s license details, dates of birth, health insurance information, and medical care records. The incident occurred alongside a similar breach at another facility under the same parent organization, Ernest Health, raising concerns about potential coordinated targeting of affiliated hospitals. While the organization did not confirm whether additional facilities were affected, notifications were sent to impacted individuals following the discovery of the email compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2018, the Rehabilitation Hospital of Northwest Ohio experienced unauthorized access to employee email accounts, compromising patient data. The breach exposed sensitive personal and medical information, including patient names, Social Security numbers, driver’s license details, dates of birth, health insurance information, and patient care records. Hospital officials confirmed the incident but did not disclose the exact number of affected individuals. The compromised data resided within the accessed email accounts, suggesting the attackers targeted communications containing sensitive attachments or messages. Patients were notified of the breach via mailed letters in April 2019, approximately six months after the incident occurred. The hospital did not publicly specify how the unauthorized access was detected or whether external cybersecurity experts assisted in the investigation. No details were provided regarding containment measures, such as password resets, multi-factor authentication implementation, or email system audits. The delayed notification timeline indicated a prolonged internal review process to assess the scope of exposed data.
The incident coincided with a similar breach at Weslaco Regional Rehabilitation Hospital in Texas, another facility under the Ernest Health network, which also reported unauthorized email access in October 2018. DataBreaches.net attempted to determine whether these incidents were part of a coordinated attack across Ernest Health hospitals but received no response from the healthcare system despite multiple inquiries. The lack of confirmation left unresolved whether other hospitals in the network were targeted or breached during the same period. Both breaches exposed comparable types of sensitive patient data, though neither hospital disclosed technical details about the attackers’ methods or motives. The Rehabilitation Hospital of Northwest Ohio did not report whether law enforcement was involved or if regulatory penalties resulted from the breach. Patient notifications emphasized the risk of identity theft and offered credit monitoring services, but no follow-up disclosures addressed whether stolen data was misused. The absence of additional public updates from Ernest Health or its affiliated hospitals prevented further clarity on the attacks’ broader implications or systemic vulnerabilities.