Unity Recovery Group Discovers 12-Month HIPAA Breach

Unity Recovery Group (URG), a provider of drug and alcohol rehabilitation services, has announced that some of its patients have been affected by a data breach that has violated their privacy rights and breached Health Insurance Portability and Accountability Act Rules.

The organization is in the process of notifying an as of yet unspecified number of individuals of a privacy breach which lasted almost a year, starting in April, 2014 and lasting until March, 2015. Patients have been advised that some of their Protected Health Information (PHI) “was impermissibly disclosed” to “one or more unaffiliated recovery and/or rehabilitation service providers,” according to the company’s breach notice.

HIPAA Breach Exposed Health Information and Social Security Numbers for 12 Months

URG is alerting affected individuals that their names, dates of birth, addresses, contact telephone numbers, email addresses, health insurance information, Social Security numbers, and “certain health information” were exposed.

Since the breach notice does not provide much information about the exact nature of the data breach, it is difficult for patients to ascertain the level of risk they face. It is not clear whether the information was stolen, passed to other companies by an employee or was provided by the company without a Business Associate Agreement (BAA) in place.

URG did point out that in response to the data breach, it has initiated an investigation and employed Forensic Data Services, Inc., to enhance its IT security systems, conduct further training of the staff and outside legal counsel has been enlisted to assist with the company’s investigation. The breach notice appears to raise more questions than it answers.


Limited Timeframe for Victims to Obtain Free Credit Monitoring and Credit Protection Services

Since the level of risk is unknown, but highly sensitive information has been exposed, victims are advised to take advantage of the credit monitoring services being provided – free of charge – by URG. Part of the credit protection service offered to patients includes a $20,000 insurance policy against fraud.

Since Social Security numbers, dates of birth and other information was disclosed for up to 12 months, credit reports should be obtained from the three main credit bureaus – Equifax, Experian and TransUnion – as soon as possible, and any suspected fraudulent activity should be reported to law enforcement and URG.

Insurance information was also exposed, so Explanation of Benefits (EoB) statements should also be checked for signs of fraudulent activity. Criminals are able to run up debts far in excess of the insurance policy limit, so it is essential that rapid action is taken to identify fraud.

Unity Recovery Group will also only be offering damage mitigation services for three months – until August 26, 2015. Any patients not having registered for the service before this date will lose the opportunity to have credit protection and monitoring services provided free of charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.