Encompass Health
The nation's largest inpatient rehabilitation provider exposed patient data—detailed recovery records from stroke, injury, and illness patients.
What happened?
Encompass Health, the largest owner and operator of inpatient rehabilitation hospitals in the United States with over 150 facilities, disclosed a data breach affecting patient records. Rehabilitation patients are recovering from serious injuries, strokes, and illnesses—making their medical data particularly sensitive.
What data was actually inside?
Patient names, Social Security numbers, medical records, rehabilitation assessments, and discharge summaries. Rehabilitation records are detailed—they document functional limitations, cognitive assessments, mobility scores, and progress over weeks of intensive care. They reveal exactly how disabled a patient is.
Insurance information and authorization records show which treatments were approved, denied, or pending—revealing coverage gaps and financial vulnerabilities.
Who gets hurt and how?
Patients recovering from strokes, traumatic brain injuries, spinal cord injuries, and major surgeries. They're already dealing with life-changing medical events; now their private recovery struggles are exposed. Many are elderly or newly disabled—vulnerable populations susceptible to targeted scams.
Rehabilitation data can affect disability claims, insurance coverage, and employment. Exposure of functional limitations has long-term consequences.
What did they think they were doing right?
Encompass Health is a publicly traded healthcare company operating under HIPAA. They have compliance programs, security controls, and serve Medicare and Medicaid patients with corresponding regulatory requirements. As a specialty provider, they understand they handle sensitive patient populations.
Healthcare compliance creates an expectation of security. That expectation wasn't fulfilled.
What did they not know about their own data?
Encompass didn't know how accessible patient data was across their 150+ facilities. Rehabilitation hospitals generate extensive documentation—daily progress notes, therapy assessments, functional independence measures. Each patient generates a comprehensive record over weeks of care.
They knew they had detailed patient records. They didn't know how vulnerable those records were until the breach revealed it.
What does attribution look like the morning after?
Notifications to patients and families already dealing with recovery challenges. Explaining to people in wheelchairs that their rehabilitation records are exposed. HHS OCR investigation. Media coverage of another healthcare breach affecting vulnerable patients.
For rehabilitation providers, the breach adds insult to injury—patients came for healing and got their privacy violated.
What would have changed the outcome?
Knowing what sensitive rehabilitation data exists and protecting it accordingly.
If Encompass had mapped their patient data—functional assessments, cognitive evaluations, discharge plans—they could have prioritized protection for the most sensitive information. Rehabilitation records document people at their most vulnerable. That data deserves enhanced protection.
Don't Learn What You Have From an Attacker
Encompass didn't know what patient data was at risk until the breach occurred. Risk Finder shows you first.
Start Your Risk Assessment