Cyber Incident Victim: Aloha Nursing Rehab Centre
Date:
Jul 2022
Location:
United States of America
Summary
Aloha Nursing Rehab Centre experienced unauthorized access to its computer systems, compromising sensitive patient information. The breach exposed full names, dates of birth, Social Security numbers, financial account details, driver’s license or state identification numbers, medical record numbers, and protected health information for 20,216 individuals. Following an investigation assisted by cybersecurity professionals, the Hawaii-based skilled nursing facility confirmed the incident and initiated notification procedures to affected parties. The organization provides rehabilitative and long-term care services with over 130 employees.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 8, 2022, an unauthorized party accessed one or more files containing confidential patient information on Aloha Nursing Rehab Centre’s computer network. The Kaneohe, Hawaii-based skilled nursing facility discovered the potential breach and initiated an immediate investigation with assistance from cybersecurity professionals to determine the incident’s nature, scope, and impact on patient data. The investigation confirmed on December 28, 2022, that unauthorized access to sensitive information had occurred during the July intrusion. Aloha subsequently reviewed the compromised files to identify affected individuals and the specific types of data exposed, which included full names, dates of birth, Social Security numbers, financial account details, driver’s license or state identification numbers, medical record numbers, patient account numbers, protected health information, and health insurance details. The organization determined that 20,216 patients were impacted by the breach.
Aloha Nursing Rehab Centre filed a formal notice with the U.S. Department of Health and Human Services Office for Civil Rights on February 24, 2023, disclosing the breach’s scope and the categories of compromised data. On the same date, the facility began mailing individualized data breach notification letters to all affected patients, advising them of the exposure of their sensitive personal and medical information. The incident exposed patients to heightened risks of identity theft and financial fraud due to the breadth of identifiers and health-related data accessed. As a provider of skilled nursing, rehabilitative, long-term, comfort, and respite care services with over 131 employees and approximately $10 million in annual revenue, Aloha’s breach impacted a substantial portion of its patient population across multiple care categories. The facility did not publicly disclose technical details regarding the attack methodology, network vulnerabilities exploited, or containment measures beyond the investigative review.