ATI Physical Therapy has noticed the protected health information of over 35,000 patients has potentially been undermined when threat actors gained access to the electronic mail accounts of a few of its workers.
A safety breach was known on January 18, 2018 when ATI Physical Therapy noticed the direct deposit information of a few of its workers had been altered in its payroll platform. Swift action was taken to safeguard its workers and external forensic researchers were called in to decide the complete range and scope of the breach.
The study revealed the electronic mail accounts of certain workers had been undermined and were accessed by illegal people between January 9 and January 12, 2018. An analysis of the electronic mails in the accounts disclosed they had the protected health information of tens of thousands of patients.
The kinds of information possibly undermined differed per impacted person, however, might have included names, prescription information, treatment information, diagnoses, disability codes, financial account numbers, patient ID numbers, medical record numbers, billing/claims information, health insurance information, Medicare/Medicaid information, Social Security numbers, state ID numbers, driver’s license numbers, credit/debit card numbers, dates of birth, and physicians’ and therapists’ names.
ATI Physical Therapy informs that just a small number of patients had their Social Security numbers disclosed.
Patients affected by the phishing occurrence have now been informed by mail and have been offered credit checking facilities without charge. Patients will also be covered by a $1 million identity theft insurance policy. No proof of abuse of information has been found by ATI Physical Therapy of the forensic detectives.
ATI Physical Therapy’s inquiry into the breach is continuing and measures have been taken to strengthen electronic mail safety to avoid future breaches and workers have been provided with training to assist them to identify phishing electronic mails.
The Division of Health and Human Services’ Office for Civil Rights breach report shows 35,136 patients have possibly had their protected health information accessed.