Integrated Rehab Consultants Patients Not Made Conscious of PHI Breach for 18 Months

April 20, 2018


Physiatry Group Integrated Rehab Consultants located in Chicago, IL is issuing notice letters to affected patients warning them of the disclosure of a few of their protected health information in line with HIPAA conditions.

Nevertheless, the breach was not first seen in the last 60 days as Integrated Rehab Consultants (IRC) became conscious of the disclosure of PHI 16 months ago on December 2, 2016.

The information which included data such as patients’ full names, procedure code, treatment location, appointment visit ID, admission date, visit status, visit date, medical provider information, gender, date of birth, address, and diagnosis codes – had been printed on a publicly accessible source. The PHI was seen by a healthcare security scientist who notified IRC regarding the breach.

Quick action was taken to remove and secure the data and a review was started to determine how and why the data had been printed in an unsafe place. That review decided that a company associate who had been provided with the PHI had exposed the data to a third party. It was that subcontractor that made the error and printed the data to the public source.

When the breach happened, IRC only thought the information had been accessed by the safety scientist. Nevertheless, in its substitute breach notification, IRC summarized that in the autumn of 2017 it became obvious that other people might also have accessed the information.

Patients probably impacted have been provided free credit checking and identity restoration facilities for one year and informed about the occurrence ‘out of an abundance of caution.’ ICR has not received any formal statements to imply any patient information has been wrongly used, even though impacted people have been advised to check their credit reports and EoB statements carefully and to remain watchful against occurrences of identity theft and scam.

Patients might not have been alerted of the disclosure of their PHI within 60 days of the first detection as it might not have been felt there was a major danger of financial loss or damage, even though it is unclear why there was a leisureliness in sending notices when it was supposed that other people might have gained access to the information.