Healthcare Information Security

Latest Health Data Breaches News

Physical Therapy Facility Reports Data Security Incident

Recent reports of potential health data security incidents include inappropriate access, a stolen laptop, and missing thumb drives.

By Elizabeth Snell

A physical therapy provider recently announced it experienced a possible data security incident that may have exposed certain personal information for some patients.

Data security incident could affect 1,100 patients at Best Health Physical Therapy

Best Health Physical Therapy, LLC (Best Health) explained on its website that it was notified by its billing services provider on September 23, 2016 that the provider’s computer system accounts had been inappropriately accessed. The individual who accessed the accounts writes blogs on internet security and was reportedly looking for data vulnerabilities.

The individual said that  he did not and would not use any of the accessed information.

Potentially accessed Best Health patient data includes names, addresses, dates of birth, insurance information, driver’s license information and health information. However, Best Health added that there is no evidence that the data was misused. It reiterated the fact that the vulnerability was on its billing provider’s system, and not its own computer system.

“Best Health took immediate steps to investigate and determine the source and extent of any access to our patients’ information,” Best Health said. “The vulnerability was identified and closed by the billing service provider immediately. Updated access controls are now in place to secure the account. Best Health has terminated its relationship with the billing service provider.”

While the Best Health statement did not specify how many individuals were potentially affected, the OCR data breach reporting tool states that 1,100 patients possibly had their information involved.

Stolen laptop leads to potential data security breach in NY

New York-based Kineto Rehab PHysical Therapy, PLLC recently announced on its website that there was a possible data security breach after a bag containing a work laptop was stolen.

Kineto said that it became aware of the missing bag on September 16, 2016, and that the bag was subsequently located but the laptop was not inside. However, footage of the thief has been identified and police are still working to track down the individual.

Patients who were seen for physical therapy services from November 2011 to March 2013 may have had certain information affected. This includes patient names, dates of birth, addresses, Social Security numbers, insurance information and clinical/physical therapy notes.

“There is no indication that your information has been accessed or used by an unauthorized individual,” read the Kineto statement, which was signed by CEO Shirley Agapito, DPT. “Please be assured that we have taken every step necessary to address the incident, and that we are committed to fully protecting all the information that has been entrusted to us.”

Individuals who may have been affected with sensitive information on their file will be offered a complimentary one-year membership identity protection services.

The OCR data breach reporting tool states that 665 individuals may have had their data exposed.

Business associate breach affects Delaware facility

A previously reported breach stemming from a remote-monitoring labor service for cardiac devices has reportedly affected another healthcare provider.

Wentworth-Douglass Hospital (WDH) had been working with Ambucor Health Solutions, which recently discovered that thumb drives recovered from one of its former employees contained personal information of thousands of patients nationwide. The drives contained information on 775 WDH patients, according to a article.

While the data did not include Social Security numbers, credit card, insurance, Medicaid/Medicare or other financial information, some personal data may have been exposed.

This includes patients’ names, dates of birth, home addresses, phone numbers, medications, race, testing data, patient identification numbers, medical device information such as the manufacturer, diagnosis, Ambucor enrollment numbers, Ambucor enrollment dates, Ambucor technician names, physician name(s), and the name and address of the practice where the patient was seen.

There is no indication that the data has been misused, but Ambucor has offered affected patients one year of identity protection services. Furthermore, Ambucor will also offer any necessary related recovery services and $1 million of identity theft insurance.

In the original breach, Ambucor had an employee who downloaded GHS information not long before his employment at Ambucor ended. The business associate was given two flash drives in July from law enforcement, which had been turned in when the employee left. Upon learning that information had been downloaded, Ambucor started to notify those potentially affected.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks