Phishing Attacks on Comprehensive Sleep Care Center and Ivy Rehab Physical Therapy Potentially Impact PHI

Loudoun Medical Group, also known as Comprehensive Sleep Care Center (CSCC), experienced a phishing attack approximately on June 19, 2019.

The IT department was notified concerning a potential email security breach after identifying suspicious activity in an employee’s email account. The password was quickly modified to avert continuing unauthorized access. Forensic detectives examined the incident and affirmed that the breach was limited to just one email account that an unauthorized person accessed from June 15, 2019 to June 19, 2019.

On October 17, 2019, the investigators had determined which patients had their data compromised. The email account stored different data for each and every patient, but might have included the patient’s name together with one or more of the listed data elements: birth date, Passport number, Social Security number, medical record number, driver’s license number payment card details, financial account data, patient record number, medical background, medical insurance details, treatment details and/or date(s) of service.

CSCC put in place more safety measures to avert more email security breaches and gave affected people information about decreasing their chances of PHI misuse. So far, there’s no proof that patient data was really misused.

Phishing Attack on Ivy Rehab Physical Therapy

A phishing attack on Ivy Rehab Physical Therapy, which is a group composed of 200 physical therapy clinics, resulted in the potential compromise of the protected health information (PHI) of patients.

The company found out about the phishing attack in May 2019 and third-party forensic experts started its investigation. On September 26, 2019, the investigators confirmed that the compromised accounts contained the PHI of some patients and attackers potentially accessed them. However, there are no reports of patient information misuse received and no actual proof of unauthorized access to data identified.

The information potentially compromised includes the name and at least one of these data elements: health data, Social Security numbers, and financial data. Affected persons received free identity theft protection and credit monitoring services.

The attack also prompted Ivy Rehab to change its password policies including the changing of passwords more frequently. Employees also received additional training on security awareness.