13,000 Patients’ PHI Breached Following Hand Rehabilitation Specialists Suffering Data Theft

by | Sep 16, 2017

A security breach that has potentially impacted almost 13,000 patients has been announced by Hand & Upper Extremity Centers.

The breach happened at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually happened, HRS was advised about a potential security incident on July 5, 2017.

According to the substitute breach notice published on the HBS website, an unauthorized person is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS we made aware of the incident, law enforcement was informed and the Ventura County Sherriff’s Office carried out a forensic investigation of the computer system used by HBS. The incident was also submitted to the Federal Bureau of Investigation.

Law enforcement found no evidence to show any patient data had been taken, although it was not possible to rule out data theft with a good degree of certainty.

The breach affects patients  that attended between 2004 and 2013, as well as their payment guarantors. The types of information possibly accessed include names, addresses, phone numbers, dates of birth, dates of service, Social Security numbers, medical diagnoses, billing codes, cost of medical services, co-pay amounts made, medical insurance companies, insurance group numbers and contact information, check numbers, and HRS’s name and practice contact details.

To protect affected people from identity theft and fraud, all have been offered credit monitoring/identity theft protection services with no charge. HBS is also reviewing office policies and procedures to prevent similar incidents from happening in the future.

The report filed to the Department of Health and Human Services Office for Civil Rights shows 12,806 patients have been impacted by the breach and have potentially had their protected health information taken.

Databreaches.net has published additional information on the theft. While the identity of those responsible for the attack is unknown, the individual/group was responsible for the intrusion appears to have been confirmed – A hacker/hacking group referred to as TheDarkOverlord (TDO).

In the report, TDO admitted the hack and supplied a sample of 10 patients’ records which were used to verify the claim. TDO also informed the site that an extortion demand was sought.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy