13,000 Patients’ PHI Breached Following Hand Rehabilitation Specialists Suffering Data Theft

by Ryan Coyne | Sep 16, 2017

A security breach that has potentially impacted almost 13,000 patients has been announced by Hand & Upper Extremity Centers.

The breach happened at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually happened, HRS was advised about a potential security incident on July 5, 2017.

According to the substitute breach notice published on the HBS website, an unauthorized person is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS we made aware of the incident, law enforcement was informed and the Ventura County Sherriff’s Office carried out a forensic investigation of the computer system used by HBS. The incident was also submitted to the Federal Bureau of Investigation.

Law enforcement found no evidence to show any patient data had been taken, although it was not possible to rule out data theft with a good degree of certainty.

The breach affects patients that attended between 2004 and 2013, as well as their payment guarantors. The types of information possibly accessed include names, addresses, phone numbers, dates of birth, dates of service, Social Security numbers, medical diagnoses, billing codes, cost of medical services, co-pay amounts made, medical insurance companies, insurance group numbers and contact information, check numbers, and HRS’s name and practice contact details.

To protect affected people from identity theft and fraud, all have been offered credit monitoring/identity theft protection services with no charge. HBS is also reviewing office policies and procedures to prevent similar incidents from happening in the future.

The report filed to the Department of Health and Human Services Office for Civil Rights shows 12,806 patients have been impacted by the breach and have potentially had their protected health information taken.

Databreaches.net has published additional information on the theft. While the identity of those responsible for the attack is unknown, the individual/group was responsible for the intrusion appears to have been confirmed – A hacker/hacking group referred to as TheDarkOverlord (TDO).

In the report, TDO admitted the hack and supplied a sample of 10 patients’ records which were used to verify the claim. TDO also informed the site that an extortion demand was sought.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter