On **August 25, 2025**, Innovative Physical Therapy discovered a **data breach** originating from a third-party vendor providing practice management services. The incident stemmed from two vendor employees falling victim to a **phishing scam**, exposing their email credentials between **June 25–26, 2025**. This unauthorized access led to the compromise of **personally identifiable information (PII)** and **protected health information (PHI)**—including **names, dates of birth, Social Security numbers, phone numbers, medical records, and health insurance details**—of at least **2,023 individuals**. The breach poses severe risks, such as **identity theft, insurance fraud, and financial exploitation**, given the sensitivity of the exposed data. Innovative Physical Therapy reported the incident to the **U.S. Department of Health and Human Services (HHS)** on **October 2, 2025**, and issued consumer notices. The vendor secured the affected accounts, launched a forensic investigation, and began notifying impacted individuals, offering **credit monitoring and identity protection services**. The breach underscores vulnerabilities in third-party vendor security and the critical need for robust phishing defenses in healthcare data handling.
Source: https://www.claimdepot.com/data-breach/innovative-physical-therapy-2025
Innovative Therapy Concepts cybersecurity rating report: https://www.rankiteo.com/company/innovative-therapy-concepts
"id": "INN3702637112025",
"linkid": "innovative-therapy-concepts",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2,023 individuals',
'industry': 'Healthcare (Outpatient Physical Therapy & '
'Rehabilitation)',
'location': 'United States',
'name': 'Innovative Physical Therapy',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare IT Services',
'name': 'Unnamed Practice Management Services Vendor',
'type': 'Third-Party Vendor'}],
'attack_vector': 'Phishing (Email Credential Theft)',
'customer_advisories': ['Dedicated helpline: 855-291-2518 (Mon-Fri, 8:00 a.m. '
'- 8:00 p.m. CT)',
'Credit monitoring and identity protection services '
'offered'],
'data_breach': {'data_exfiltration': 'Likely (Unauthorized Access to Email '
'Accounts)',
'file_types_exposed': ['Emails (Potentially Attachments with '
'Sensitive Data)'],
'number_of_records_exposed': '2,023',
'personally_identifiable_information': ['Names',
'Dates of Birth',
'Phone Numbers',
'Social Security '
'Numbers',
'Medical Information',
'Health Insurance '
'Details'],
'sensitivity_of_data': 'High (Includes SSNs, Medical & '
'Insurance Data)',
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)',
'PHI (Protected Health '
'Information)']},
'date_detected': '2025-08-25',
'date_publicly_disclosed': '2025-10-02',
'description': 'On Aug. 25, 2025, Innovative Physical Therapy, a network of '
'outpatient physical therapy clinics and rehabilitation '
'centers, learned that a vendor providing practice management '
'services had experienced a significant data breach. The '
'cybersecurity incident compromised both personally '
'identifiable information (PII) and protected health '
'information (PHI) of thousands of individuals. The breach '
'began when two employees of the vendor responded to phishing '
'emails, inadvertently disclosing their email account '
'credentials, allowing unauthorized access between June 25 and '
'June 26, 2025. Exposed data includes names, dates of birth, '
'phone numbers, Social Security numbers, medical information, '
'and health insurance details, posing risks of identity theft '
'or insurance fraud.',
'impact': {'brand_reputation_impact': 'Potential Reputation Damage (Identity '
'Theft/Insurance Fraud Risk)',
'data_compromised': ['Personally Identifiable Information (PII)',
'Protected Health Information (PHI)',
'Names',
'Dates of Birth',
'Phone Numbers',
'Social Security Numbers',
'Medical Information',
'Health Insurance Details'],
'identity_theft_risk': 'High',
'systems_affected': ['Vendor Email Accounts']},
'initial_access_broker': {'entry_point': 'Phishing Emails (Vendor Employee '
'Credentials)',
'high_value_targets': ['Email Accounts with '
'PII/PHI']},
'investigation_status': 'Ongoing (Third-Party Forensic Investigation Engaged)',
'post_incident_analysis': {'root_causes': ['Human Error (Phishing '
'Susceptibility)',
'Inadequate Email Security '
'Controls']},
'recommendations': ['Review notices from Innovative Physical Therapy or its '
'vendors',
'Sign up for complimentary credit monitoring and identity '
'protection',
'Monitor financial accounts and credit reports for '
'identity theft',
'Consider fraud alerts or credit freezes with major '
'credit bureaus',
'Be cautious of unsolicited emails/phone calls requesting '
'personal information'],
'references': [{'source': 'Innovative Physical Therapy Consumer Notice'},
{'date_accessed': '2025-10-02',
'source': 'U.S. Department of Health and Human Services (HHS) '
'Breach Notification'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA (Health Insurance '
'Portability and '
'Accountability Act)'],
'regulatory_notifications': ['U.S. Department of '
'Health and Human '
'Services (HHS)']},
'response': {'communication_strategy': ['Posted Consumer Notice on Website',
'Notified U.S. Department of Health '
'and Human Services (HHS)',
'Established Dedicated Helpline '
'(855-291-2518)'],
'containment_measures': ['Secured Affected Email Accounts'],
'incident_response_plan_activated': True,
'recovery_measures': ['Offered Complimentary Credit Monitoring & '
'Identity Protection Services'],
'remediation_measures': ['Engaged Third-Party Forensic '
'Investigation',
'Reviewed Affected Patients and '
'Compromised Data',
'Issued Notification Letters to '
'Affected Individuals'],
'third_party_assistance': ['Forensic Investigation Firm']},
'threat_actor': 'Unauthorized Party (Unknown)',
'title': 'Data Breach at Innovative Physical Therapy via Third-Party Vendor',
'type': 'Data Breach (Phishing)',
'vulnerability_exploited': 'Human Error (Phishing Susceptibility)'}