author photo
By Bruce Sussman
Tue | Oct 9, 2018 | 8:16 AM PDT

They bill themselves as the official team physicians for the NBA's Portland Trail Blazers, and now Rebound Orthopedics and Neurosurgery announced that personally identifiable information (PII) has been exposed for up to 2,800 of its patients. It's unclear if Blazer players are included as part of that number.rebound-orthopedics-blazers

The Columbian, Rebound's hometown newspaper in Vancouver, Washington, reports on the regional medical clinic's data breach:

Officials believe the breach started with an email sent to a Rebound employee, Rebound executive director John Bauman said Friday night. While Rebound employees are trained to scrutinize suspicious emails, the phishing email arrived from a trusted source—a Rebound contractor whose cybersecurity also had been breached. The Rebound employee opened the email and also an attachment, which unleashed malware that collected information, Bauman said.

What is still unclear is why it took Rebound so long to announce the breach. SecureWorld looked up the breach notification details in the Oregon State Attorney General's database and found this:


The breach of the medical group's database took place on May 22, 2018. This was apparently discovered on August 8th, but notification was delayed until October 5th. The Columbian adds:

"On Aug. 8, Rebound’s computer forensic investigation showed that patient personal information—including name, date of birth, Social Security number, driver’s license number, financial account information and limited health information—may have been disclosed."

Is two months a reasonable amount of time for breach notification? That question will probably be answered in the days to come.