Email-Related Breach Impacts 4,309 Choice Rehabilitation Residents


Choice Rehabilitation of Creve Coeur, MO learned that an unauthorized person accessed an employee’s email account and set up a mail forwarder, which sent email messages to a personal email account. This mail forwarder was active from July 1, 2018 to September 30, 2018. After a complete analysis of the email account, it was confirmed that the billing document attachments of email messages contained protected health information (PHI) of certain residents and were sent to skilled nursing facilities.

Highly sensitive data like Medicare and Medicaid numbers, financial data, Social Security numbers, birth dates and contact details were not compromised. The breached data only involved the billing records for physical, speech, and occupational therapy patients, which included names, medical record numbers, therapy start and end dates, payor details, diagnoses, treatment information, care facility name and billing codes.

As soon as the breach was uncovered, Choice Rehabilitation stopped unauthorized access to the email account. Mail forwarding to the personal email account of the attacker was also stopped. Choice Rehabilitation advised all corporate users about the breach and advised them to follow the security measures to prevent unauthorized people from accessing their accounts. Employees will need to undergo security awareness training and added safety controls will be employed to strengthen the security of email and network system. Corporate email accounts will be strictly supervised from here on.

No report was received by Choice Rehabilitation that suggest the opening of forwarded emails by the attacker. It is assumed that there is minimal risk of PHI misuse because of the types of potentially compromised PHI.

Choice Rehabilitation submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights. The breach incident was posted on OCR’s breach portal and indicated that about 4,309 people were likely impacted.