Cyber Incident Victim: Sacred Heart Rehabilitation Center

Sacred Heart Rehabilitation Center, a Michigan-based healthcare provider covered under HIPAA, experienced a phishing incident in early April 2019. The attack compromised employee email accounts, though the exact date of initial detection remains unspecified in available reports. The organization confirmed in November 2019 that protected health information (PHI) was involved in the breach, indicating a seven-month gap between the phishing event and the identification of compromised patient data. Notification letters were subsequently issued to affected individuals, though the center did not publicly disclose the number of impacted patients or the specific types of exposed health information. The breach had not yet appeared on the U.S. Department of Health and Human Services' public breach portal when reported by media outlets in January 2020, suggesting ongoing investigations or delayed regulatory filings.

The incident exposed sensitive patient data through unauthorized access to employee email systems, though technical details about the phishing mechanism and the scope of account compromises were not released. Sacred Heart initiated standard breach response protocols, including an internal investigation to determine PHI involvement and subsequent patient notifications. No evidence suggests ransomware deployment or permanent data loss occurred. The center's public disclosure provided no information about implemented security enhancements, forensic investigations, or coordination with law enforcement agencies. The delayed identification of PHI exposure—occurring months after the initial email compromise—highlighted potential gaps in detection capabilities. Financial impacts, legal consequences, and operational disruptions stemming from the incident remain undocumented in available sources.