The protected health information of over 35,000 patients at ATI Physical Therapy was potentially accessed by unauthorized persons due to a phishing attack on some employees’ email accounts. ATI discovered the security breach on January 18, 2018 when it was noticed that the direct deposit information of some employees in the payroll platform was changed. As a response, ATI immediately took action and requested the help of external forensic investigators to find out the full extent of the breach.
According to the investigation, unauthorized persons accessed the email accounts of certain employees some time in January 9 to January 12, 2018. The accessed email accounts were found to contain tens of thousands protected health information of ATI patients. The compromised information vary from person to person. But some may have the following information exposed: names, birth dates, credit/debit card numbers, state ID numbers, driver’s license numbers, Social Security numbers, health insurance information, Medicare/Medicaid information, billing/claims information, financial account numbers, patient ID numbers, disability codes, diagnoses, prescription details, treatment information, physicians’ and therapists’ names. According to ATI Physical Therapy, only a few patients had their Social Security numbers compromised.
ATI Physical Therapy already notified by mail all the patients affected by the phishing incident. ATI offered the patients free credit monitoring services and an identity theft insurance policy amounting to $1 million. The forensic investigators did not receive any report that suggest the misuse of patients’ PHI.
The investigation of the data breach is still ongoing. But ATI Physical Therapy has already taken steps to improve their email security and avoid future breaches. Employees were given extra training on phishing scam awareness. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated the potential exposure of the PHI of 35,136 patients.