- Missouri-based Choice Rehabilitation Center is notifying 4,309 patients that their data was breached in a months-long hack on a corporate email account.
On November 7, Choice discovered that one of its email accounts was hacked. According to officials, the cybercriminals forwarded the provider’s emails to their personal account. The account was later deactivated.
Choice consulted with Microsoft and launched an investigation into the attack. Officials determined the forwarded emails included billing documents sent to associated nursing facilities and contained the personal information and received medical services.
The investigation found that the hackers had access to the account from July 1 until September 30. Officials said they don’t know if the cybercriminals viewed the emails.
The compromised emails contained billing data for physical, occupational, and speech therapy services. The data included patient names, medical record numbers, treatment facility, Medicare data, the beginning and end of treatment dates, treatment information, diagnoses, and billing codes. This type of data is most commonly used by cybercriminals for medical fraud.
Choice is working with its contracted nursing facilities to notify patients and “mitigate the potential damages from the breach.” Officials said they’ve since bolstered their network security and are continuing to improve operations’ security. Employees are being trained on how to avoid being victimized by hackers.
The breach is just the latest in the unfortunate healthcare trend of data breaches that go months without being detected.
In October, California-based Gold Coast Health Plan began notifying 37,000 patients that their data was potentially breached in a month-long phishing attack. The previous month, Philadelphia-based Independence Blue Cross announced a three-month long breach caused by an employee error.
And in July, two other providers – Alive Hospice and Manitowoc County – announced similar breaches.
These should serve as a reminder that the key to breach detection is network monitoring and access management controls. Additionally, organizations can reduce employee email risk by taking risk decisions away from users.