The Chicago, IL-based Integrated Rehab Consultants is sending notification letters to patients alerting them to the exposure of some of their protected health information, as is required by HIPAA. However, the breach was not discovered in the past 60 days. Integrated Rehab Consultants (IRC) first became aware of the exposure of PHI 16 months ago.
The data – which included patients’ full names, address, date of birth, gender, medical provider information, visit date, visit status, admission date, appointment visit ID, treatment location, procedure code, and diagnosis codes – had been uploaded to a publicly accessible repository. The PHI was discovered by a healthcare security researcher who notified OCR about the breach.
Prompt action was taken to remove and secure the data and an investigation was launched to determine how and why the data had been uploaded to an insecure location.