13,000 Patients’ PHI Breached Following Hand Rehabilitation Specialists Suffering Data Theft

A security breach that has potentially impacted almost 13,000 patients has been announced by Hand & Upper Extremity Centers.

The breach happened at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually happened, HRS was advised about a potential security incident on July 5, 2017.

According to the substitute breach notice published on the HBS website, an unauthorized person is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS we made aware of the incident, law enforcement was informed and the Ventura County Sherriff’s Office carried out a forensic investigation of the computer system used by HBS. The incident was also submitted to the Federal Bureau of Investigation.

Law enforcement found no evidence to show any patient data had been taken, although it was not possible to rule out data theft with a good degree of certainty.

The breach affects patients  that attended between 2004 and 2013, as well as their payment guarantors. The types of information possibly accessed include names, addresses, phone numbers, dates of birth, dates of service, Social Security numbers, medical diagnoses, billing codes, cost of medical services, co-pay amounts made, medical insurance companies, insurance group numbers and contact information, check numbers, and HRS’s name and practice contact details.

To protect affected people from identity theft and fraud, all have been offered credit monitoring/identity theft protection services with no charge. HBS is also reviewing office policies and procedures to prevent similar incidents from happening in the future.

The report filed to the Department of Health and Human Services Office for Civil Rights shows 12,806 patients have been impacted by the breach and have potentially had their protected health information taken.

Databreaches.net has published additional information on the theft. While the identity of those responsible for the attack is unknown, the individual/group was responsible for the intrusion appears to have been confirmed – A hacker/hacking group referred to as TheDarkOverlord (TDO).

In the report, TDO admitted the hack and supplied a sample of 10 patients’ records which were used to verify the claim. TDO also informed the site that an extortion demand was sought.