On August 24, 2022, Northeast Rehabilitation Hospital Network (“NRHN”) reported a data breach with the Attorney General of Montana and other government entities. According to the NRHN, the breach resulted in the sensitive information of certain individuals being compromised; however, because the company’s investigation is ongoing, it has not yet developed a list of all leaked data types. After confirming the breach and identifying all affected parties, Northeast Rehabilitation began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Northeast Rehabilitation data breach, please see our recent piece on the topic here.
What We Know About the Northeast Rehabilitation Data Breach
The information about the Northeast Rehabilitation Hospital Network data breach comes from the Attorney General of Montana. According to the most current information, on September 30, 2021, NRHN became aware of suspicious activity across its computer systems. In response, the company took the necessary steps to secure its systems and retained the services of an outside cybersecurity firm to assist with its investigation.
Through this investigation, Northeast Rehabilitation Hospital Network learned an unauthorized party was able to access some of the company’s files between September 30, 2021, and October 5, 2021.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Northeast Rehabilitation began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. However, because the NRHN is still in the process of reviewing all affected files, it has not yet released a complete list of the information that was subject to unauthorized access.
On August 24, 2022, Northeast Rehabilitation sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Northeast Rehabilitation Hospital Network
Founded in 1984, Northeast Rehabilitation Hospital Network is a healthcare provider based in Salem, New Hampshire. NRHN network includes over 20 outpatient centers, a home care division, a sports medicine division, an outpatient pediatric division and many other practices focused on providing rehabilitative services to patients. NRHN provides inpatient, outpatient, home care and pediatric services to patients in New Hampshire and Massachusetts. Northeast Rehabilitation employs more than 1,000 people and generates approximately $80 million in annual revenue.
What Is Protected Health Information and Why Consumers Should Be Cautions After a Healthcare Data Breach
While we know that the Northeast Rehabilitation Hospital Network data breach affected sensitive patient information because the company is still in the process of investigating the scope of the breach, we don’t know the exact data types that were subject to unauthorized access. However, based on the company’s business, it is likely that the breach involved patients’ protected health information.
Protected health information is data that relates to a patient’s past or current health condition or how a patient paid for their healthcare services. For example, the results of a blood test or MRI, insurance claims information, or a list of a patient’s past medical procedures could all be protected health information. However, compromised healthcare-related data is only considered protected if it contains one or more identifiers. An identifier is an additional piece of data included with the breached information that would allow someone to match the healthcare data to a specific patient. For example, identifiers include patients’ names, physical or email addresses, physical addresses, photographs, fingerprints, or Social Security numbers.
But what is the significance of a data breach that affects your PHI? From a patient’s perspective, the fact that data is classified as protected health information means that anyone who comes into possession of the leaked data will have sufficient information to carry out healthcare identity fraud.
Healthcare identity theft is similar to other types of identity theft; however, it is typically more difficult to resolve. This is because it often takes longer to straighten out due to the complexities of the healthcare industry. Not only that, but unlike other forms of identity theft, healthcare identity theft can put patients’ health at risk.
For example, after a hacker obtains your protected health information, they often post the data for sale on the dark web. The person who purchases the data likely does so to obtain medical care in your name. In doing so, when the doctor asks the “fake patient” for any relevant information, such as their current medications or past medical procedures, they will provide the doctor with their own information. This can result in a situation where a patient’s medical record contains inaccurate information when they go to the doctor for treatment. Notably, there is no confirmation that the Northeast Rehabilitation Hospital Network data breach leaked patients’ protected health information; however, it is fair to assume that NRHN has this data in its possession, making it fairly likely that it was included in the compromised data.
Victims of a data breach involving protected health information should be sure to take all necessary precautions, including reviewing their medical records and informing their providers. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.