A data breach at Rebound Orthopedics & Neurosurgery may have revealed individuals’ personal information, including Social Security numbers and limited health information, the Vancouver-based company announced Friday evening.
“Although at this time there is no evidence of any attempted or actual misuse of anyone’s information as a result of this incident, Rebound has sent notification letters to the potentially impacted individuals to notify them of this incident and to provide resources to assist them,” the company said in a news release.
No medical records appeared to have been accessed, company officials said.
It is the second Vancouver-based business to report a data breach this week. On Wednesday, Burgerville said thousands of customers’ credit and debit card information may have been compromised during a cyberattack it learned of in late August. The same day, a class action lawsuit was filed on behalf of a Burgerville customer, alleging the company was negligent in its cybersecurity practices.
Rebound said in its news release that on May 22 an unknown individual gained access to an employee’s email account. Rebound notified its information technology department of the incident. That prevented further unauthorized access, the company says in the release.
On Aug. 8, Rebound’s computer forensic investigation showed that patient personal information — including name, date of birth, Social Security number, driver’s license number, financial account information and limited health information — may have been disclosed, the company says.
Rebound executive director John Bauman said the delay in alerting customers until Friday was because of the amount of work computer forensic contractors needed to assess the extent of the breach.
He said about 2,800 patients and employees may have been affected by the breach.
Notification letters mailed Friday include information about the incident and steps people can take to monitor and protect their personal information.
Rebound has established a toll-free call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 6 a.m. to 3:30 p.m., Pacific Time and can be reached at 1-833-228-5716.
Rebound also is offering free identity theft protection and credit monitoring services through Kroll, a cybersecurity company.
“The privacy and protection of personal information is a top priority for Rebound,” the company said at the end of its statement, “which sincerely regrets any concern or inconvenience that this matter may cause.”
Officials believe the breach started with an email sent to a Rebound employee, Rebound executive director John Bauman said Friday night. While Rebound employees are trained to scrutinize suspicious emails, the phishing email arrived from a trusted source — a Rebound contractor whose cybersecurity also had been breached. Representatives with that company could not be reached Friday night.
The Rebound employee opened the email and also an attachment, which unleashed malware that collected information, Bauman said.
“We have no idea who did this,” Bauman said.
After they were hired, computer forensic consultants detected three attempts to break into Rebound data — two from locations in the United States and another from a location outside the U.S.
Rebound Orthopedics & Neurosurgery has been operating in Vancouver and the Portland metro area for more than 40 years. The company operates seven primary clinics — four in Vancouver and Clark County, two in Portland and one in Lake Oswego, Ore. Each clinic has a mix of specialties including orthopedics, neurosurgery, physical medicine and rehabilitation, physical therapy and hand therapy. The company also serves as team physicians for the Portland Trail Blazers and the Portland Winterhawks.
Reporter Anthony Macuk contributed to this report.
Allan Brettman: 360-735-4699; allan.brettman@columbian.com; twitter.com/allanbrettman