Data Breach Notifications

Entity Information

  • Type of Organization: Healthcare
  • Entity Name: Sycamore Rehabilitation Services, Inc.
  • Street Address: 1001 Sycamore Lane
  • City: Danville
  • State, or Country if outside the US: IN
  • Zip Code: 46122

Submitted By

  • Name: Karen Painter Randall
  • Title: Partner
  • Firm name (if different than entity): Connell Foley
  • Telephone Number: 973-535-0500
  • Email Address: krandall@connellfoley.com
  • Relationship to entity whose information was compromised: Incident Response Counsel

Breach Information

  • Total number of persons affected (including residents): 3414
  • Total number of Maine residents affected: 2
  • If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified:
  • Date(s) Breach Occured: 07/29/2023-08/09/2023
  • Date Breach Discovered: 09/21/2023-01/18/2024
  • Description of the Breach:
    • Other
    • If other, please specify: On September 21, 2023, Sycamore identified a cybersecurity issue. Sycamore promptly retained computer forensic specialists and immediately began a comprehensive investigation to determine the nature and scope of the incident. At the time of the incident, Sycamore had the following security measures in place including but not limited to: MFA enabled by default on all O365 accounts; VPN required to access all internal network resources from outside the organization; Critical Windows patches were automatically applied monthly; Default Office 365 attachment and link scanning was in place; All external e-mail were tagged with a warning banner; All servers and workstations were protected with anti-virus software (Sentinel One), automatically updated; All critical data was backed up onsite, encrypted, and replicated to the cloud; POP and IMAP was disabled by default for all accounts; O365 / Azure PowerShell access was off by default for all accounts. The forensic investigation determined a third party may have gained unauthorized access to mailbox accounts containing sensitive information such as names, date of birth, social security numbers, driver’s license or state identification numbers, account numbers, routing numbers, medical information, and health insurance information. The categories of information varied by individual. Sycamore’s forensic experts do not have conclusive evidence indicating what if any information related to Sycamore was acquired. Following the incident, Sycamore deployed the following additional security measures, including but not limited to: Proofpoint email scanning and security; Breach Secure Now phishing testing; DUO MFA on VPN accounts. While there was no evidence of any misuse of data, identity theft, or fraud caused by the incident, out of an abundance of caution, Sycamore worked diligently to identify all individuals who may have been impacted by the incident. Sycamore mailed a notification letter offering identity theft protection and credit monitoring services at no cost to these individuals on March 1, 2024.
  • Information Acquired - Name or other personal identifier in combination with: Social Security Number

Notification and Protection Services

  • Type of Notification: Written
  • Date(s) of consumer notification: 03/01/2024
  • Copy of notice to affected Maine residents: ELN-21300 Sycamore Rehabilitation Services 2 Ad CM 1 Year r3prf.pdf
  • Date of any previous (within 12 months) breach notifications:
  • Were identity theft protection services offered: Yes
  • If yes, please provide the duration, the provider of the service and a brief description of the service: Kroll- Identity theft protection and credit monitoring services for 12 months