Unauthorized access to employee email accounts has compromised the medical and personal data of current and former patients.
On January 16, 2025, Mid South Rehab Services Inc. discovered suspicious activity in one of its employee email accounts. A forensic investigation revealed that a cybercriminal had accessed two employees' inboxes, viewing emails and attachments containing sensitive patient information.
The breach exposed both personally identifiable information (PII) and protected health information (PHI), including names, Social Security numbers, dates of birth, and medical records. While the total number of individuals affected has not been disclosed, Mid South Rehab has begun mailing notifications to impacted patients.
The compromised information poses an elevated risk of identity theft and fraud. In response, the company secured the affected accounts, launched an investigation with external cybersecurity experts, and notified federal law enforcement. A dedicated support line has been made available for affected individuals seeking assistance or more information.
Mid South Rehab has published a Notice of Data Privacy Event on its website and is advising recipients to monitor their credit and remain vigilant for scams or unauthorized account activity.
The company has not issued a detailed public statement beyond the posted notice. It is encouraging affected individuals to take precautionary steps such as reviewing their credit reports, placing fraud alerts or credit freezes, and watching for phishing attempts using their personal details.
The breach at Mid South Rehab Services Inc., caused by unauthorized access to two employee email accounts, mirrors a broader pattern documented in Paubox’s reports showing that email remains the leading entry point for cyberattacks in healthcare. In this case, a cybercriminal accessed inboxes containing Social Security numbers, medical records, and other protected health information, the same type of data frequently exposed in similar credential or phishing-based intrusions.
Between January 2024 and January 2025, 180 healthcare organizations reported email-related breaches to the HHS Office for Civil Rights, with 107 of those incidents occurring in just the first half of 2025. The financial impact continues to escalate, with the average cost of a healthcare data breach now reaching $11 million, the highest of any industry.
Healthcare email systems often contain unstructured data such as medical records, billing info, and personal identifiers, making them valuable for attackers with minimal access.
PII (Personally Identifiable Information) refers to data like names and Social Security numbers. PHI (Protected Health Information) includes medical history and treatment details protected under HIPAA.
In many cases, attackers maintain access for days or weeks before detection. The exact timeline for this breach has not been publicly disclosed.
Under HIPAA, affected individuals must be notified of a breach. They may also join class-action lawsuits or seek identity theft protections, depending on the case.
Regular staff training, email encryption, multifactor authentication, and limiting the storage of sensitive data in inboxes are all preventative measures.