Another day, another hack targeting the healthcare sector. Vancouver-based Rebound Orthopedics & Neurosurgery revealed Friday evening it fell victim to a malware-laced phishing attack that resulted in the exposure of 2,800 records, including personal data of patients and staff.
The breach reportedly started with a phishing email. An employee unknowingly opened the included attachment, which unleashed malware that collected patient personal information — including name, date of birth, Social Security number, driver’s license number, financial account information and some health information. Personal data of Rebound employees may have also been compromised.
“We have no idea who did this,” said Rebound Executive Director John Bauman.
After learning of the incident, Rebound immediately notified its information technology department, which halted unauthorized access. Rebound also enlisted the help of a computer forensic team which detected not one but three attempts to break into Rebound data — two from the United States and one from elsewhere.
The healthcare unit then emailed those affected, listing steps that people can take to monitor and protect their personal and financial information.
“Although at this time there is no evidence of any attempted or actual misuse of anyone’s information as a result of this incident, Rebound has sent notification letters to the potentially impacted individuals to notify them of this incident and to provide resources to assist them,” the company said in a news release. “The privacy and protection of personal information is a top priority for Rebound, which sincerely regrets any concern or inconvenience that this matter may cause.”
The news release doesn’t state the type of malware used in the attack. However, based on the description offered by Rebound officials, hackers likely used a typical RAT (Remote Access Trojan) to conduct their operation.
Rebound Orthopedics & Neurosurgery was the second Vancouver business to report a breach last week, according to The Columbian. On Wednesday, October 3, a privately held American restaurant chain in Oregon called Burgerville said thousands of customers’ credit and debit card information may have been compromised during a cyberattack it learned of in August. A customer sued the company immediately after the announcement.