Cyber Incident Victim: Ivy Rehab Physical Therapy

In May 2019, Ivy Rehab Physical Therapy detected evidence suggesting unauthorized access to a limited number of employee email accounts. The organization immediately engaged its internal IT team to investigate, which confirmed that unknown parties had compromised certain accounts. A subsequent forensic investigation by an external cybersecurity firm determined the unauthorized access resulted from a presumed phishing campaign targeting employees. The investigation revealed attackers infiltrated the email system between May and September 2019, though the exact intrusion timeline remained unspecified. On September 26, 2019, after completing a comprehensive review of affected accounts, Ivy Rehab confirmed the compromised mailboxes contained sensitive patient information. The organization found no evidence of actual misuse or attempted exploitation of the accessed data during this period.

The compromised information included current and former patients' first and last names combined with protected health information, Social Security numbers, or financial account details. While no fraudulent activity was detected, Ivy Rehab initiated notifications on November 26, 2019, offering complimentary credit monitoring and identity theft restoration services through Equifax for potentially affected individuals. Response measures included mandatory frequent password changes for all staff, enhanced security awareness training programs, and continued collaboration with government agencies. The organization implemented additional investments in data protection capabilities but did not disclose specific technical controls. Ivy Rehab's Chief Compliance Officer publicly acknowledged the breach, emphasizing ongoing efforts to strengthen security protocols while apologizing for potential patient concerns.