Northeast Rehabilitation Hospital Network Files Notice of Data Breach

Console and Associates, P.C.

On August 24, 2022, Northeast Rehabilitation Hospital Network (“NRHN”) reported a data breach with the Attorney General of Montana and other government entities. According to the NRHN, the breach resulted in the sensitive information of certain individuals being compromised; however, because the company’s investigation is ongoing, it has not yet developed a list of all leaked data types. After confirming the breach and identifying all affected parties, Northeast Rehabilitation began sending out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Northeast Rehabilitation data breach, please see our recent piece on the topic here.

What We Know About the Northeast Rehabilitation Data Breach

The information about the Northeast Rehabilitation Hospital Network data breach comes from the Attorney General of Montana. According to the most current information, on September 30, 2021, NRHN became aware of suspicious activity across its computer systems. In response, the company took the necessary steps to secure its systems and retained the services of an outside cybersecurity firm to assist with its investigation.

Through this investigation, Northeast Rehabilitation Hospital Network learned an unauthorized party was able to access some of the company’s files between September 30, 2021, and October 5, 2021.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Northeast Rehabilitation began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. However, because the NRHN is still in the process of reviewing all affected files, it has not yet released a complete list of the information that was subject to unauthorized access.

On August 24, 2022, Northeast Rehabilitation sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About Northeast Rehabilitation Hospital Network

Founded in 1984, Northeast Rehabilitation Hospital Network is a healthcare provider based in Salem, New Hampshire. NRHN network includes over 20 outpatient centers, a home care division, a sports medicine division, an outpatient pediatric division and many other practices focused on providing rehabilitative services to patients. NRHN provides inpatient, outpatient, home care and pediatric services to patients in New Hampshire and Massachusetts. Northeast Rehabilitation employs more than 1,000 people and generates approximately $80 million in annual revenue.

What Is Protected Health Information and Why Consumers Should Be Cautions After a Healthcare Data Breach

While we know that the Northeast Rehabilitation Hospital Network data breach affected sensitive patient information because the company is still in the process of investigating the scope of the breach, we don’t know the exact data types that were subject to unauthorized access. However, based on the company’s business, it is likely that the breach involved patients’ protected health information.

Protected health information is data that relates to a patient’s past or current health condition or how a patient paid for their healthcare services. For example, the results of a blood test or MRI, insurance claims information, or a list of a patient’s past medical procedures could all be protected health information. However, compromised healthcare-related data is only considered protected if it contains one or more identifiers. An identifier is an additional piece of data included with the breached information that would allow someone to match the healthcare data to a specific patient. For example, identifiers include patients’ names, physical or email addresses, physical addresses, photographs, fingerprints, or Social Security numbers.

But what is the significance of a data breach that affects your PHI? From a patient’s perspective, the fact that data is classified as protected health information means that anyone who comes into possession of the leaked data will have sufficient information to carry out healthcare identity fraud.

Healthcare identity theft is similar to other types of identity theft; however, it is typically more difficult to resolve. This is because it often takes longer to straighten out due to the complexities of the healthcare industry. Not only that, but unlike other forms of identity theft, healthcare identity theft can put patients’ health at risk.

For example, after a hacker obtains your protected health information, they often post the data for sale on the dark web. The person who purchases the data likely does so to obtain medical care in your name. In doing so, when the doctor asks the “fake patient” for any relevant information, such as their current medications or past medical procedures, they will provide the doctor with their own information. This can result in a situation where a patient’s medical record contains inaccurate information when they go to the doctor for treatment. Notably, there is no confirmation that the Northeast Rehabilitation Hospital Network data breach leaked patients’ protected health information; however, it is fair to assume that NRHN has this data in its possession, making it fairly likely that it was included in the compromised data.

Victims of a data breach involving protected health information should be sure to take all necessary precautions, including reviewing their medical records and informing their providers. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.