Cyber Incident Victim: ATI Physical Therapy
Date:
Jan 2018
Location:
United States of America
Summary
ATI Physical Therapy experienced a cybersecurity incident involving unauthorized access to employee email accounts, potentially compromising patient information. The breach exposed various sensitive data types including names, dates of birth, Social Security numbers, financial details, medical records, treatment information, and insurance data, with impacts varying per individual. While no evidence of information misuse was found, the company initiated forensic investigations, notified affected individuals, offered complimentary credit monitoring services, and implemented enhanced security measures such as password resets, email system improvements, and employee training on phishing prevention.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
ATI Holdings, LLC and its subsidiaries (“ATI”) identified a security incident beginning with the discovery on January 11, 2018, of unauthorized changes to employee direct deposit information within the organization’s payroll platform. This prompted immediate mitigation efforts and the initiation of an internal investigation supported by third-party forensic experts to assess the incident’s scope. Subsequent analysis revealed unauthorized access to certain employee email accounts between January 9 and January 12, 2018. The compromised accounts contained sensitive patient information, including names, dates of birth, driver’s license or state identification numbers, Social Security numbers, credit card details, financial account numbers, patient and Medicare/Medicaid identifiers, medical record numbers, diagnosis codes, treatment details, medication/prescription information, provider names, billing/claims data, and health insurance information. While Social Security numbers were only exposed for a small subset of affected individuals, the breadth of compromised data varied across patients. ATI’s investigation found no evidence of actual or attempted misuse of patient data as of the notification date, though the forensic review remained ongoing at the time of public disclosure.
In response, ATI implemented corrective measures including mandatory password resets for impacted employees and enhancements to email system security. The organization began mailing notification letters to affected patients in March 2018, directing them to a dedicated call center operational six days per week for inquiries. ATI offered free credit monitoring services through the AllClear ID platform, with enrollment details provided in the mailed notices and via a designated website. Concurrently, the company expanded employee training programs focused on phishing scam identification and collaborated with law enforcement agencies and regulatory bodies regarding the breach. ATI emphasized continuous monitoring of its systems to reinforce data protection, though the investigation did not conclusively determine the methods used by the threat actor or the total number of individuals impacted at the time of public reporting.