Illinois-based ATI Physical Therapy is notifying 35,136 patients after several employee email accounts were breached by a hacker.

On Jan. 11, ATI discovered the direct deposit information of some employees was changed in its payroll system. Officials said they launched an investigation with a third-party forensics team that determined several employee email accounts were hacked between Jan. 9 and Jan. 12.

Some patient data were included in one or more of those accounts.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The type of breached data varied by patient, but could include a combination of Social Security numbers, driver’s license or state identification numbers, financial account numbers, Medicare or Medicaid identification numbers, and medical record numbers, along with a wide range of medical information.

Officials said Social Security numbers were only breached for a small percentage of patients.

Impacted patients were notified by mail and offered a year of free credit monitoring, along with a $1 million identity theft insurance policy.

The investigation is ongoing, and ATI officials said they’ve since strengthened email security to protect against future breaches. Employees were also provided additional training to better detect phishing emails.

Email hacks on healthcare organizations have been relentless this year. According to Protenus’ February Breach Barometer, hacking was responsible for 33 percent of breaches last month.

In January, Florida’s Agency of Healthcare Administration reported a breach of 30,000 patient records after an employee fell for a phishing email, while Onco360’s breach impacted 53,000 patients after a hack of three employee email accounts. And a growing list of others have faced similar breaches.

Twitter: @JessieFDavis

Email the writer: jessica.davis@himssmedia.com