Phishing Attack on Sacred Heart Rehabilitation Center Exposed Patients’ PHI


Sacred Heart Rehabilitation Center located in Memphis, MI offers to HIV/AIDS patients substance abuse treatment and care services. The center learned that an unauthorized individual accessed an employee’s email account because of the phishing email the employee responded to.

The email-related breach took place between April 5 and April 7, 2018. It is not known when the phishing attack was discovered by the rehabilitation center. The breach investigators said that the email account contained messages with certain patients’ protected health information (PHI). The compromised account included information like patients’ names, addresses Social Security numbers, diagnoses, treatment information and health insurance plan information. The center sent breach notification letters on January 9, 2018 to the patients whose PHI were potentially compromised.

The center didn’t publicly announce the number of patients affected by the breach, but for sure not all of the patients’ data were exposed. This breach isn’t posted on the Department of Health and Human Services’ Office for Civil Rights breach portal yet.

Sacred Heart Rehabilitation Center furthermore provided all patients affected by the breach with one year free credit monitoring and identity theft protection services. All patients were cautioned to check their financial accounts and explanation of benefits statements for indications of PHI misuse. So far, no report has been received by the rehab center that the patients’ PHI were misused.

To avoid future phishing attacks, the rehab center implemented extra security controls. Workers underwent more security awareness training.

2018 did not have a great ending for healthcare providers in Michigan. In December, Blue Cross Blue Shield of Michigan had two data breaches affecting more than 16,000 individuals. Kent County Community Mental Health Authority likewise had a phishing attack affecting 2,200 people.