Cyber Incident Victim: Choice Rehabilitation
Date:
Nov 2018
Location:
United States of America
Summary
A healthcare provider experienced unauthorized access to a corporate email account, where an attacker forwarded emails containing patient billing information to an external account before the breach was contained. The compromised data included patient names, medical record numbers, therapy service details, diagnoses, treatment codes, and care dates, but excluded highly sensitive identifiers like Social Security numbers or financial data. The organization secured the affected account, notified over 500 impacted individuals, and collaborated with affiliated facilities to mitigate risks. While no misuse of information was detected, the provider implemented enhanced security protocols, employee training, and ongoing monitoring to prevent future incidents, assessing a low probability of financial or reputational harm to patients due to the limited nature of exposed data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 7, 2018, Choice Rehabilitation discovered unauthorized access to a corporate email account after identifying that a hacker had compromised the account and forwarded emails to an external personal account. The organization determined the suspicious activity occurred between July 1, 2018, and September 30, 2018, following consultation with Microsoft. While investigators could not confirm whether the attacker viewed email contents, a forensic review revealed the compromised account contained billing documents transmitted to skilled nursing facilities. These attachments included patient names, facility medical record numbers, payer information (such as Medicare), therapy start/end dates, medical diagnoses, treatment codes with session durations, and facility names. No Social Security numbers, birth dates, financial data, or government healthcare identifiers were exposed in the breach. Choice Rehabilitation secured the affected email account immediately upon discovery and initiated an internal investigation to assess the scope of potential data exposure across the three-month intrusion period.
The organization notified over 500 affected patients starting December 18, 2018, despite finding no evidence of misuse of the exposed health information. This notification acknowledged the theoretical risk of unauthorized access to therapy billing details during the account compromise window. Choice Rehabilitation coordinated breach response efforts with its contracted skilled nursing facilities and cybersecurity consultants, implementing enhanced email security protocols across all corporate accounts. Measures included increased monitoring of account activity and additional authentication safeguards. The company established a dedicated toll-free hotline and email address operated by its Compliance Officer for breach-related inquiries. Internal security improvements focused on employee training to recognize phishing attempts and hardening network defenses against comparable email-based attacks. Choice Rehabilitation emphasized ongoing efforts to strengthen operational security while maintaining responsibility for protecting patient information through revised technical controls and staff awareness initiatives.