A Washington medical group practice specializing in orthopedics has notified individuals of a data security event that might have exposed some of their personal information.
On 5 October, Rebound Orthopedics & Neurosurgery (“Rebound”) of Vancouver, Washington published a statement publicly disclosing an incident that it detected earlier in the year:
On May 22, 2018, an unknown individual gained access to an employee’s email account. We quickly took action and notified our IT department of the incident, who prevented any further unauthorized access. We also retained a computer forensic company and conducted a detailed forensic investigation to determine what information may have been accessed.
Rebound’s forensic investigation revealed that the incident might have affected some individuals’ personal information including their name, date of birth, Social Security Number, driver’s license information and limited medical information. The medical practice group found no indications that anyone had attempted to misuse this information, however.
Rebound Orthopedics & Neurosurgery, which operates seven clinics in the Portland and southwest Washington area, explained in its statement that it implemented employee training and testing, dual-factor authentication, a required password change policy and additional security measures to prevent a similar incident from happening again. The medical group practice also mailed out letters to affected individuals, established a toll-free call center to help answer victims’ questions and provided information on how affected individuals can place a fraud alert on their credit reports.
“The privacy and protection of personal information is a top priority for Rebound, which sincerely regrets any concern or inconvenience that this matter may cause,” Rebound stated.
This incident highlights the need for organizations in every sector to invest in employee security awareness training, especially around the topic of phishing attacks. It also underscores the importance of healthcare organizations taking appropriate steps to secure their patients’ electronic medical records (EMRs). Here’s some guidance on how to maintain the security and integrity of EMR systems.