Hack of staff email accounts jeopardizes patient info at Ivy Rehab
Ivy Rehab Physical Therapy, with clinics in 10 states, has disclosed that a hack of some employee email accounts may have put patients’ medical information at risk.
The chain, which operates 197 clinics in the Northeast, Midwest and Southeast, found evidence this past May suggesting that a limited number of employee email accounts were inappropriately accessed.
At that time, the information technology team investigated and found additional evidence of accessed accounts and engaged Equifax, which identified email accounts potentially compromised via a phishing attack.
In late September, the company learned that accessed email accounts may have contained protected health information such as patient names, Social Security numbers and patient financial account information.
“At this time, we have no evidence of misuse of anyone’s information as a consequent of this incident,” Ivy Rehab Physical Therapy told patients in a notification letter. “Nonetheless, we are informing our Ivy Rehab patients of this incident out of an abundance of caution,” said Jeff Wells, chief compliance officer, in the notification letter. “We are notifying any patient whose account may have been accessed in order to provide details of the incident, our response to the incident and resources to help protect any patients in the event they were affected.”
In addition to issuing an apology, the organization is offering credit monitoring services and identity theft restoration services through Equifax. The duration of protective services was not disclosed, but it generally is one or two years.
The organization further did not publicly disclose the number of affected individuals, which could be quite sizable because of the large number of potentially compromised clinics. The size of the breach eventually will be published in the Office for Civil Rights’ data breach website.
Now, Rehab Physical Therapy is enhancing data security protections with steps that include frequent password changes, providing all staff with ongoing security awareness training and continued work with government agencies. The organization did not respond to a media request for additional information and is under no obligation to provide it.