Cyber Incident Victim: Alliance Physical Therapy Partners
Date:
Dec 2021
Location:
United States of America
Summary
Alliance Physical Therapy Partners experienced unauthorized access to systems containing protected health information, with the intrusion occurring over a four-day period and detected shortly thereafter. The organization confirmed patient data compromise following an investigation, reviewing affected files over several months. While specifics regarding the number of impacted individuals remain undisclosed due to the absence of regulatory reporting details at the time, the incident prompted a review of security policies and implementation of additional safeguards to prevent future breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Alliance Physical Therapy Partners, a Grand Rapids Charter Township, MI-based entity formerly operating as Agility Health, experienced a cybersecurity incident involving unauthorized access to certain systems containing patients' protected health information. The breach timeline was confined to a five-day period between December 23, 2021, and December 27, 2021, with initial detection occurring on December 27, 2021. Forensic analysis confirmed on January 7, 2022, that patient data had been compromised during this intrusion window. The organization undertook a comprehensive review of all potentially affected files, completing this assessment on April 19, 2022. While the specific types of exposed PHI were not detailed in available reports, the breach notification confirmed unauthorized third-party access to systems storing sensitive patient information.
In response to the incident, Alliance Physical Therapy Partners conducted an internal review of existing policies and procedures related to data security. The organization implemented additional cybersecurity safeguards designed to prevent similar future breaches, though technical specifics of these enhancements were not publicly disclosed. As of the June 22, 2022, reporting date, the breach had not yet appeared on the HHS Office for Civil Rights breach portal, leaving the total number of affected individuals unconfirmed in public records. No information regarding evidence of data misuse or theft was provided in the notification. The organization's disclosure did not reference offering credit monitoring or identity protection services to potentially impacted patients, distinguishing its response from other contemporaneous healthcare breaches documented in the same reporting period.