April 1, 2018
ATI Physical Therapy has noticed that PHI of more than 35,000 of its clients might have been accessed when a hacker took details within the electronic mail accounts of a few of its staff members.
A safety breach was noticed on January 18, 2018 when ATI Physical Therapy noticed that the direct deposit details of a few of its employees had been altered in its payroll database. Quick action was taken to protect its staff and outside forensic detectives were called in to probe the complete range and scope of the breach.
The probe demonstrated that the electronic mail accounts of certain staff members had been undermined and were accessed by illegal persons between January 9 and January 12, 2018. An examination of the electronic mail contained in the accounts demonstrated they contained the PHI of tens of thousands of patients.
The variety of information possibly accessed differed per impacted individual, but might have included names, prescription information, treatment specifics, diagnoses, disability codes, financial account details, patient ID numbers, medical record details, billing/claims data, health insurance information, Medicare/Medicaid information, Social Security numbers, state ID numbers, driver’s license numbers, credit/debit card numbers, dates of birth, and physicians’ and therapists’ identities.
ATI Physical Therapy has disclosed that only a small number of patients had their Social Security numbers retrieved.
Patients impacted by the phishing occurrence have now been warned by post and have been offered credit checking facilities for free. Patients will also be protected by a $1 million identity theft insurance plan. No proof of wrong use of information has been noticed by ATI Physical Therapy of the forensic detectives.
ATI Physical Therapy’s analysis into the breach is continuing and actions have been taken to increase electronic mail safety to obstruct future breaches and staff members have been provided with training to assist them to find phishing electronic mails.
The Division of Health and Human Services’ OOCR breach report portal demonstrates that 35,136 patients have probably had their PHI taken.