Cyber Incident Victim: Choice Health Management Services
Date:
Dec 2019
Location:
United States of America
Summary
Choice Health Management Services experienced unauthorized access to employee email accounts containing protected health and personal information. The organization engaged forensic investigators to determine the incident's scope but could not identify specific compromised emails or attachments initially. A subsequent review revealed sensitive data within the accounts, though linking affected individuals to specific healthcare facilities delayed notifications. After coordinating with associated facilities for permission, impacted individuals were notified approximately six months post-discovery without offering credit monitoring due to no evidence of data misuse. The entity implemented unspecified additional security measures following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late 2019, Choice Health Management Services, a North Carolina-based business associate providing IT, payroll, billing, and compliance services for assisted living and skilled nursing facilities, discovered suspicious activity in certain employee email accounts. The organization engaged third-party forensic investigators to determine the nature and scope of the incident. By January 17, 2020, investigators confirmed unauthorized access to the email accounts but could not identify which specific emails or attachments within those accounts had been compromised. This uncertainty triggered a comprehensive manual review of all affected email accounts to identify potentially exposed sensitive information. The review concluded on March 27, 2020, revealing that protected health information (PHI) and personally identifiable information (PII) were present in the compromised accounts. A subsequent challenge emerged when investigators could not associate many affected individuals with their respective healthcare facilities, requiring Choice Health to conduct an internal records review to establish these connections for proper notification protocols.
Choice Health completed its internal facility-matching review on May 12, 2020, enabling notification to impacted healthcare facilities. The company alerted facilities on April 16 and again on May 22, 2020, seeking and obtaining permission to notify affected patients and residents. Individual notifications commenced on June 23, 2020, more than six months after the initial discovery. The organization did not provide complimentary credit monitoring or identity restoration services, stating no evidence of actual data misuse had been identified. Choice Health implemented unspecified additional security safeguards in response to the incident but disclosed no technical details about these measures. The breach exposed vulnerabilities in email account security practices, particularly regarding storage of PHI in employee email systems, and highlighted operational challenges in coordinating notifications across multiple healthcare facilities.