5 Lessons from the ATI Physical Therapy HIPAA Breach

Earlier this month, ATI Physical Therapy in Illinois submitted a HIPAA breach notification to the U.S. Department of Health and Human Services. An IT-related breach compromised the protected health information (“PHI”) of 35,136 patients. 

In January, ATI discovered that some employees’ direct deposit information had been altered, and it subsequently launched a forensic investigation into its data security. The investigation revealed the source of the breach: some employees’ email accounts had been subjected to unauthorized access — or hacked — in early January.  When these email accounts were analyzed, the investigators determined that tens of thousands of patients’ PHI had been mentioned or contained in the accounts’ correspondence.

The compromised PHI varied, but it included information such as:

  • name
  • social security number
  • date of birth
  • driver’s license number
  • state ID number
  • Medicare number
  • Medicaid number
  • credit card or debit card number
  • address
  • health insurance information
  • financial account number
  • medical record number
  • patient ID number
  • billing or claims information
  • diagnosis code
  • disability code
  • treatment information
  • prescription information
  • therapist name
  • physician name
  • referral information

ATI has notified all affected patients by mail, set up a toll-free customer support phone number, and it has publicized the breach to the media and on its website. The breach is also listed on HHS’ so-called HIPAA Wall of Shame, which publicly discloses all covered entity or business associate breaches affecting 500+ patients. Affected patients are receiving free credit monitoring services from ATI, and the loss is covered by ATI’s $1 million identity theft insurance policy.

The DHS website identifies the matter as a case “currently under investigation.”

The Takeaway: 5 Reminders about HIPAA Breaches

1. HHS must be notified of any breach which affects the PHI of more than 500 patients. Because most EMR systems include current and historical patients, even small practices often surpass this threshold easily if breached.

2. Each covered entity’s HIPAA policies must contain written procedures that will be followed in the event of a breach. The absence of such policies is itself a HIPAA violation.

3. HIPAA breaches can be caused by accidents, loose policies, or intentional malfeasance.

4. A covered entity is responsible if it transmits PHI to a third party from which it hasn’t obtained written assurances (in the form of a so-called “business associate agreement”) that the third party follows stringent HIPAA procedures.

5. If a breach affects 500 or more patients, the covered entity must notify the media and publicize the breach.

All content © 2018 Jackson LLP.