East Hawaii Rehab, Inc. DBA Lehua Physical Therapy and Rehab Data Breach: 8,472 Patients Affected

This case study examines how proper IT support for medical office could have prevented the East Hawaii Rehab, Inc. DBA Lehua Physical Therapy and Rehab breach affecting 8,472 patients.

What Happened

East Hawaii Rehab, Inc. DBA Lehua Physical Therapy and Rehab in HI reported a data breach to the HHS Office for Civil Rights affecting 8,472 individuals. The incident involved other, other portable electronic device, paper/films systems containing protected health information (PHI).

The breach resulted from physical theft of devices or media containing patient records. Stolen laptops, mobile devices, USB drives, or backup tapes often contain unencrypted PHI. Without proper encryption and device management, physical theft leads directly to data exposure.

Why This Matters

Healthcare data breaches carry severe consequences beyond regulatory fines:

• Patient harm: Exposed medical records enable identity theft, insurance fraud, and targeted scams against vulnerable patients
• Financial impact: HIPAA penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category
• Reputation damage: Breach notifications to 8,472 patients generate local media coverage and erode trust
• Operational disruption: OCR investigations require significant staff time and may trigger additional audits
• Legal exposure: Class action lawsuits following major breaches can exceed regulatory penalties

How This Could Have Been Prevented

Based on the breach type and affected systems, these controls would have reduced risk:

1. Encrypt all devices and media containing PHI (laptops, phones, USB drives): Encrypt all devices and media containing PHI (laptops, phones, USB drives)
2. Implement mobile device management (MDM) with remote wipe capability: Implement mobile device management (MDM) with remote wipe capability
3. Prohibit storage of PHI on portable devices without encryption: Prohibit storage of PHI on portable devices without encryption
4. Use cable locks and secure storage for equipment in clinical areas: Use cable locks and secure storage for equipment in clinical areas
5. Deploy asset tracking for all devices with PHI access: Deploy asset tracking for all devices with PHI access

Many healthcare organizations lack the internal resources to implement these controls. A qualified healthcare IT support services provider can fill these gaps with HIPAA-trained staff who understand clinical workflows.

Key Takeaways

1. Breaches are preventable: The controls that stop most healthcare breaches are well-documented. Implementation—not knowledge—is the gap.
2. Speed matters: Early detection limits breach scope. Organizations with 24/7 monitoring typically contain incidents faster than those without.
3. Documentation is critical: HIPAA requires demonstrating reasonable security measures. Proper logging and policy documentation can reduce penalties.
4. Third parties add risk: Business associates cause a significant portion of healthcare breaches. Vendor security assessment matters.