East Hawaii Rehab Data Breach: 8,472 Patients Affected by Theft

What Happened

East Hawaii Rehab, Inc., operating as Lehua Physical Therapy and Rehab in Hilo, Hawaii, has reported a significant data breach affecting 8,472 patients to the Department of Health and Human Services. The incident was officially reported on February 28, 2025, and has been classified as a theft involving multiple types of storage media.

The breach involved the theft of protected health information (PHI) stored across various formats, including paper documents, films, and other portable electronic devices. This multi-format theft highlights the vulnerability of healthcare practices that maintain patient information in both digital and physical formats.

Lehua Physical Therapy and Rehab, established in 2003 and located at 116 Hualalai St, Suite #101 in Hilo, has been serving the East Hawaii community for over two decades. The clinic specializes in pain management, recovery assistance, and injury prevention services.

Who Is Affected

The breach impacts 8,472 individuals who received services at East Hawaii Rehab, Inc. DBA Lehua Physical Therapy and Rehab. This represents a substantial portion of the practice's patient base, considering it operates as a single-location physical therapy clinic in Hilo, Hawaii.

Patients affected by this breach likely had their personal health information compromised across multiple formats. Given the nature of physical therapy services, the stolen information could include:

• Patient names and contact information
• Medical history and treatment records
• Insurance information and billing details
• Physical therapy treatment plans and progress notes
• Diagnostic imaging and assessment results

The theft's impact extends beyond just digital records, as the inclusion of paper files and films suggests that decades of patient information may have been compromised.

Breach Details

According to the HHS Office for Civil Rights breach report, the incident is classified as a theft involving:

• Other portable electronic devices: This could include laptops, tablets, external hard drives, or other mobile storage devices containing patient data
• Paper/Films: Physical patient records, X-rays, diagnostic films, and other hard-copy medical documents
• Other materials: Additional unspecified items containing protected health information

The breach was reported to HHS on February 28, 2025, though the exact date when the theft occurred has not been disclosed. Under HIPAA regulations, covered entities must report breaches to HHS within 60 days of discovery, suggesting the incident was discovered sometime in late December 2024 or January 2025.

Darlene Yamashita, the Office Manager at East Hawaii Rehab, serves as the authorized contact person for the clinic and can be reached at 808-969-3811 for patient inquiries related to the breach.

The clinic operates under NPI number 1831260330, which was assigned in November 2006, indicating its established presence in the Hawaii healthcare community.

What This Means for Patients

For the 8,472 affected patients, this breach represents a serious compromise of their protected health information. The theft of both digital and physical records creates multiple risk scenarios:

Identity Theft Risk: With comprehensive medical records potentially stolen, patients face increased risk of medical identity theft, where criminals use stolen health information to obtain medical services or prescription drugs.

Financial Fraud: Insurance information and billing details could be used to commit healthcare fraud or submit false claims.

Privacy Violations: Sensitive medical information about physical therapy treatments, injuries, and health conditions may now be in unauthorized hands.

Long-term Exposure: Unlike digital breaches that can sometimes be contained, stolen physical documents and films are difficult to recover, potentially leaving patient information exposed indefinitely.

Patients should monitor their medical records, insurance statements, and credit reports for any suspicious activity. Any unauthorized medical services or unfamiliar charges should be reported immediately to healthcare providers and insurance companies.

How to Protect Yourself

If you are a patient of East Hawaii Rehab or Lehua Physical Therapy and Rehab, take these immediate steps:

Contact the Practice: Reach out to Darlene Yamashita at 808-969-3811 to confirm if your information was affected and learn about remediation efforts.

Monitor Medical Records: Review all medical statements and insurance explanations of benefits for services you didn't receive.

Check Credit Reports: Obtain free credit reports from all three major bureaus and look for medical collections or unfamiliar accounts.

Alert Healthcare Providers: Inform other healthcare providers about the breach so they can verify your identity more carefully during future visits.

Document Everything: Keep records of all communications related to the breach and any suspicious activities you discover.

Consider Fraud Alerts: Place fraud alerts on your credit files to make it harder for identity thieves to open accounts in your name.

Prevention Lessons for Healthcare Providers

This breach offers critical lessons for healthcare practices of all sizes:

Secure Physical Records: Paper documents and films require the same level of security as digital files. Implement locked storage, limited access controls, and proper disposal procedures.

Device Security: Portable electronic devices containing PHI must be encrypted, password-protected, and physically secured when not in use.

Comprehensive Risk Assessments: Regular security assessments should cover all forms of PHI storage, not just electronic health record systems.

Employee Training: Staff must understand their role in protecting both digital and physical patient information from theft.

Incident Response Planning: Have clear procedures for responding to theft incidents, including immediate containment steps and notification requirements.

Access Controls: Limit who has access to patient information and maintain logs of who accesses what information and when.

Small practices like physical therapy clinics often face unique challenges in implementing comprehensive security measures due to limited resources and IT expertise. However, the significant impact of this breach demonstrates that no healthcare provider is too small to be targeted.

The combination of physical and digital theft in this case highlights the need for multi-layered security approaches that protect information regardless of its format or storage location.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.