Michigan rehab provider notifies patients of two data breaches

Sacred Heart Rehabilitation Center in Richmond, Mich., is notifying patients after two phishing attacks last April compromised an employee’s email account.

The behavioral health provider says it has notified a limited number of patients affected by the attack. It did not immediately disclose the number of patients affected, although it said the incident did not affect all patients. At some point, the provider will need to report the number of patients to the HHS Office for Civil Rights’ data breach web site.

Also See: The largest data breaches of 2018

Upon learning of the breach, Sacred Heart launched an investigation and engaged forensic specialists to determine the scope of the breach and the information in employees’ email accounts, a process that can take considerable time.



In mid-November, the organization learned that the email account contained patient names, addresses, health insurance information, treatment information, diagnostic information and an undisclosed amount of Social Security numbers.

Patients with compromised SSNs have been offered credit monitoring and identity theft protection from an undisclosed vendor. All affected patients were given information on best practices to protect their information.

Sacred Heart Rehabilitation Center executives say the organization has taken steps to minimize the risk of similar incidents in the future by retraining employees on cyber awareness and security measures.