Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach

Illinoie-based physiatry organization Integrated Rehab Consultants is broadcasting notification correspondence to some patients alerting them to the exposure of some of their protected health information, in line with HIPAA regulations. However, the breach was not discovered within the past 60 days. Integrated Rehab Consultants (IRC) initially became aware of the exposure of PHI on December 2, 2016 – 16 months previously.

The information – which incorporated patients’ complete names, address, date of birth, gender, medical provider details, visit date, visit status, admission date, treatment visit ID, treatment location, procedure code and diagnosis codes – had been published to a publicly accessible repository. The PHI was found by a healthcare security researcher who alerted IRC about the data breach.

Rapid action was taken to erase and safeguard the data and an inquiry was kicked off  to determine how and why the data had been made available to an insecure location. That review determined that a business partner who had been given the PHI had disclosed the PHI to a third party. It was that subcontractor that made the mistake and uploaded the data to the public website.

When the breach happened, IRC only believed the data had been accessed by the security worker. However, in its substitute breach notice, IRC remarked that in the latter half of 2017 it became obvious that other individuals may also have accessed to data.

Patients who may have been impacted have been offered free credit monitoring and identity restoration services for 12 months and advised about the incident ‘out of an abundance of caution.’ There have been no reports made to ICR to imply any patient information has been misused, although affected people have been encouraged to review  their credit reports and EoB statements diligently and to remain vigilant against incidents of identity theft.

Individuals who have been told of the exposure of their private health information within 60 days of the the breach being identified as it may not have been thought that there was a significant risk of monetary loss or harm, although it is unclear why there was a slowness in issuing warnings when it was felt that other individuals may have accessed the data.

Author: Maria Perez