Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI

Hand & Upper Extremity Centers has announced a security breach has potentially impacted almost 13,000 patients.

The breach occurred at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually occurred, HRS was notified about a potential security incident on July 5, 2017.

According to the substitute breach notice uploaded to the HBS website, an unauthorized individual is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS became aware of the incident, law enforcement was contacted and the Ventura County Sherriff’s Office conducted a forensic investigation of the computer system used by HBS. The incident was also reported to the Federal Bureau of Investigation.

Law enforcement found no evidence to suggest any patient data had been exfiltrated, although it was not possible to rule out data theft with a high degree of certainty.

The breach affects patients seen between 2004 and 2013, as well as their payment guarantors. The types of information potentially accessed include names, addresses, phone numbers, dates of birth, dates of service, Social Security numbers, medical diagnoses, billing codes, cost of medical services, co-pay amounts made, medical insurance companies, insurance group numbers and contact information, check numbers, and HRS’s name and practice contact information.

To protect affected individuals from identity theft and fraud, all have been offered credit monitoring/identity theft protection services free of charge. HBS is also revising office policies and procedures to prevent similar incidents from occurring in the future.

The report submitted to the Department of Health and Human Services Office for Civil Rights indicates 12,806 patients have been impacted by the breach and have potentially had their protected health information exposed.

Databreaches.net has published additional information on the incident. While the identity of the individual(s) behind the attack is unknown, the individual/group was responsible for the intrusion appears to have been confirmed – A hacker/hacking group known as TheDarkOverlord (TDO).

According to the report, TDO admitted the hack and provided a sample of 10 patients’ records which were used to verify the claim. TDO also informed the site that an extortion demand was issued.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.