Vendor Breach Exposes Patient Data at Innovative Physical Therapy

Innovative Physical Therapy Discloses Patient Data Breach Due to Phishing Attack on Third-Party Vendor

MEDIUM
November 19, 2025
6m read
Data BreachSupply Chain AttackPhishing

Impact Scope

People Affected

2,023+

Industries Affected

Healthcare

Geographic Impact

United States (national)

Related Entities

Other

Innovative Physical Therapy

MITRE ATT&CK Techniques

T1195.002Initial Access

Compromise Software Supply Chain

T1566Initial Access

Phishing

T1078Defense Evasion

Valid Accounts

T1114.001Collection

Local Email Collection

Full Report

Executive Summary

Innovative Physical Therapy, a network of outpatient rehabilitation centers, has reported a data breach affecting at least 2,023 of its patients. The incident was a result of a supply chain compromise, where a third-party vendor providing practice management services was breached. The vendor discovered on August 25, 2025, that two of its employees' email accounts were compromised after they responded to phishing emails. The unauthorized access, which occurred in June 2025, exposed a significant amount of patient PII and PHI, including Social Security numbers and medical details. The breach has been reported to the U.S. Department of Health and Human Services.

Threat Overview

  • Victim: Patients of Innovative Physical Therapy.
  • Breached Entity: An unnamed third-party vendor providing practice management services.
  • Attack Vector: A phishing campaign (T1566 - Phishing) targeting employees at the third-party vendor.
  • Incident Type: This is a classic supply chain data breach (T1195.002 - Compromise Software Supply Chain), where the vulnerability lay with a trusted partner rather than the primary organization.

Technical Analysis

The attack followed a common pattern for supply chain breaches originating from email compromise:

  1. Initial Access: Threat actors sent phishing emails to employees at the third-party vendor. Two employees fell for the scam and provided their email account credentials.
  2. Account Takeover: The attackers used the stolen credentials to log into the employees' email accounts (T1078 - Valid Accounts) between June 25 and June 26, 2025.
  3. Data Collection: The attackers then mined the compromised mailboxes for sensitive information. Since the vendor provided practice management services, their email accounts contained a wealth of Innovative Physical Therapy's patient data, likely in the form of reports, spreadsheets, and routine communications.
  4. Data Exfiltration: The attacker accessed and likely exfiltrated the data found within the mailboxes.

This incident highlights the critical importance of third-party risk management. An organization's security is only as strong as its weakest link, which often lies within its extended network of vendors and partners.

Impact Assessment

  • Highly Sensitive Data Exposed: The breach compromised a combination of PII and PHI, creating a significant risk for the 2,023+ affected individuals. The exposed data includes:
    • Names, dates of birth, phone numbers
    • Social Security numbers
    • Medical information and health insurance details
  • High Risk of Fraud: This data is a goldmine for criminals, who can use it for identity theft, medical insurance fraud, opening fraudulent lines of credit, and crafting extremely convincing spear-phishing attacks against the victims.
  • Regulatory Consequences: The breach falls under HIPAA regulations. Both Innovative Physical Therapy (as the covered entity) and the unnamed vendor (as the business associate) could face investigations and potential fines from the HHS Office for Civil Rights.
  • Reputational and Legal Risk: Innovative Physical Therapy faces reputational damage and potential lawsuits from affected patients, even though the breach occurred at their vendor.

Cyber Observables for Detection

Detection relies on the vendor's ability to monitor for email account compromise:

Type Value Description
log_source Cloud email audit logs Monitoring for suspicious logins, impossible travel, and anomalous mailbox activity is essential.
user_account_pattern Massive email access/download An account suddenly accessing or downloading hundreds of historical emails or attachments is a red flag for data mining.
event_id New-InboxRule (PowerShell) The creation of forwarding rules to external email addresses is a classic TTP for data exfiltration from a compromised mailbox.

Detection & Response

For organizations like Innovative Physical Therapy, detection involves monitoring vendor relationships:

  • Vendor Breach Notifications: Having a process to quickly ingest, analyze, and act upon breach notifications from third-party vendors is critical.
  • Data Flow Monitoring: Where possible, monitor data flows between your organization and your vendors. A sudden, unexplained increase in data being pulled by a vendor could warrant investigation.
  • Contractual Obligations: Ensure contracts require vendors to report security incidents within a specific, short timeframe.

Mitigation

  1. Third-Party Risk Management (TPRM): Implement a robust TPRM program. This must include thorough security vetting of all vendors before onboarding and regular security assessments thereafter. This is the core of D3FEND's D3-VAM - Vendor Security Assessment.
  2. Business Associate Agreements (BAAs): For healthcare, ensure that strong BAAs are in place with all vendors that handle PHI. These agreements should clearly define security responsibilities and incident reporting requirements.
  3. Data Minimization: Share only the absolute minimum amount of data necessary for a vendor to perform their function. Avoid sharing sensitive data like SSNs unless it is strictly required and protected by the vendor.
  4. Flow-Down Security Requirements: Mandate that your vendors implement key security controls, such as MFA, employee security training, and data encryption, as a condition of doing business. This directly addresses the root cause of this breach.

Timeline of Events

1
June 25, 2025
Unauthorized party gains access to vendor employee email accounts.
2
August 25, 2025
The third-party vendor first learns of the breach.
3
October 2, 2025
Innovative Physical Therapy discloses the breach to the U.S. Department of Health and Human Services.
4
November 19, 2025
This article was published

MITRE ATT&CK Mitigations

Vulnerability Scanning

M1016enterprise

While not a traditional vulnerability, assessing the security posture of third-party vendors is a form of vulnerability management for the supply chain.

Multi-factor Authentication

M1032enterprise

Requiring vendors to use MFA would have prevented the phishing attack from succeeding.

Mapped D3FEND Techniques:

D3-MFA

User Training

M1017enterprise

Security awareness training at the vendor is a critical preventative control.

D3FEND Defensive Countermeasures

Vendor Security Assessment

D3-VAMMaps to MITREM1016
D3FEND

To prevent supply chain breaches like the one affecting Innovative Physical Therapy, organizations must implement a rigorous Vendor Security Assessment program. This goes beyond a simple pre-contract questionnaire. It requires mandating key security controls in vendor contracts, such as requiring MFA on all accounts, evidence of regular employee security training, and defined incident notification timelines. Organizations should also conduct their own due diligence, using external attack surface management (EASM) tools to assess a vendor's security posture. For a vendor handling PHI, evidence of a strong security program (like a SOC 2 Type II report or HITRUST certification) should be a non-negotiable requirement. This proactive approach ensures that vendors are not the weakest link in the security chain.

Data Loss Prevention

D3-DLPMaps to MITREM1041
D3FEND

Data Loss Prevention (DLP) technology could have mitigated the impact of this breach. Even though the compromise happened at the vendor, Innovative Physical Therapy could have implemented cloud-based DLP on its own email tenant to monitor data sharing. A properly configured DLP policy would have detected and potentially blocked emails containing large volumes of patient PHI and SSNs from being sent to the vendor's domain in the first place, enforcing data minimization. At the vendor, a host or network DLP solution could have detected and blocked the exfiltration of this sensitive data from their environment, even after the email accounts were compromised. DLP acts as a crucial backstop to prevent sensitive data from leaving a trusted environment, regardless of how it was accessed.

Sources & References

Innovative Physical Therapy Data Breach: SSNs & Names Exposed
Claim Depot (claimdepot.com) November 19, 2025
Data breach at St. Anthony Hospital might have exposed personal information of more than 6,600 patients and staff
CBS Chicago (cbsnews.com) November 19, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Data BreachHealthcareSupply Chain AttackPhishingVendor BreachPHI

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next