Health Care and Rehabilitation Services of Southeastern Vermont Data Breach

In December 2024, Health Care and Rehabilitation Services of Southeastern Vermont, Inc. (HCRS) experienced a data breach involving unauthorized access to two staff email accounts. The breach was first discovered on December 20, 2024, after suspicious activity was detected within the organization’s email environment.

Following immediate containment efforts, HCRS launched a thorough investigation with the help of third-party cybersecurity professionals. The forensic review determined that the unauthorized actor accessed the email accounts between approximately December 4, 2024, and December 9, 2024.

The investigation revealed that a limited number of individuals were affected, including both clients and staff.

Exposed personally identifiable information (PII) included first and last names, dates of birth, Social Security numbers, financial account numbers, and driver’s license numbers. In addition, protected health information (PHI) such as dates of treatment or service, individual health insurance information, medical history, patient numbers, medical record numbers (MRNs), healthcare billing information, and other medical treatment details was also involved.

Because the breach involved highly sensitive data including both PII and PHI, the potential risk for affected individuals remains significant. Details about the breach, including the types of information exposed and steps for affected individuals, are outlined in the official security incident notice posted by HCRS.

HCRS' response

Upon discovering the unauthorized access, HCRS immediately secured the affected email accounts by resetting passwords and containing the incident. The organization engaged specialized third-party cybersecurity experts to conduct a comprehensive forensic investigation and to help secure their email environment against further unauthorized access. HCRS has stated that it continually evaluates and updates its security practices and internal controls to protect personal information.

For those potentially affected, HCRS is providing direct notice by mail, as long as a valid mailing address is available. The organization has also set up a dedicated contact person, Rose Nevins-Alderfer, who can be reached at rnevins@hcrs.org for questions and support. In addition, HCRS is establishing a confidential toll-free response line staffed with professionals familiar with the incident.

If you believe you may have been affected, it is recommended to remain vigilant by monitoring your account statements, explanation of benefits forms, and free credit reports for any suspicious activity. You are entitled to one free credit report annually from each of the three major credit reporting bureaus. Affected individuals are also encouraged to consider placing a fraud alert or security freeze on their credit files, and to review their health insurance statements for any unrecognized activity.

For more information about HCRS, visit the official HCRS website.