Breach Notification of Integrated Rehab Consultants’ Patients Took Longer Than 60 Days

Breach Notification

The physiatry group Integrated Rehab Consultants (IRC) based in Chicago, IL sent notification letters to some of its patients to warn them of a potential exposure of their protected health information (PHI). IRC discovered the breach more than 60 days ago. In fact, they first knew about the PHI exposure on December 2, 2016. 

Patient data was uploaded to a repository that is publicly accessible. Information included the patients’ full names, dates of birth, address, gender, medical provider details, date of visit, status of visit, admission date, treatment location, appointment visit ID, procedure code and diagnostic codes. A healthcare security researcher discovered the PHI and notified IRC regarding the data breach.

IRC took prompt action to secure the data. The data breach was investigated to know how and why the data was uploaded to a public location. It was found out that a business associate of IRC that had access to the PHI disclosed the sensitive information to a third party, a subcontractor. The subcontractor made the mistake of uploading the data to a public repository.

At the time of discovery, IRC thought that only the security researcher accessed the data. However, IRC found out in the fall of 2017 that other individuals may have accessed the data as well. This finding was explained in a substitute breach notice issued by IRC. IRC did not notify the patients about the breach within 60 days of its discovery because of the initial belief that there’s no significant risk of harm or financial loss. However, regarding the delay in patient notification after knowing about the possibility of other individuals gaining access to data, IRC offered no clear explanation.

IRC notified all the patients potentially affected by the data breach and offered them free one year credit monitoring and identity restoration services. IRC hasn’t received any news of misuse of patient information, but affected patients were encouraged to monitor their credit reports and EoB for signs of identity theft and fraudulent transactions.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/