NHPP Physical Medicine and Rehabilitation NY Data Breach: 1,353 Patients Affected

On May 23, 2025, NHPP Physical Medicine and Rehabilitation, a healthcare provider based in New York, reported a significant data breach to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. The incident affected 1,353 individuals and involved unauthorized access and disclosure of protected health information (PHI).

What Happened

According to the breach notification filed with federal regulators, NHPP Physical Medicine and Rehabilitation experienced an unauthorized access/disclosure incident that compromised patient data stored in their systems. The breach was classified as affecting "other" systems containing protected health information, indicating the incident occurred outside of typical categories like email, network servers, or portable devices.

The healthcare provider discovered the security incident and subsequently notified affected individuals on June 5, 2025, approximately two weeks after reporting the breach to federal authorities. This timeline aligns with HIPAA breach notification requirements under the HITECH Act, which mandates that covered entities notify the HHS Office for Civil Rights within 60 days of discovering a breach affecting 500 or more individuals.

Notably, the incident did not involve a business associate, indicating that the breach originated from within NHPP's own systems or operations rather than through a third-party vendor relationship.

Who Is Affected

The data breach impacted 1,353 patients who received services from NHPP Physical Medicine and Rehabilitation. These individuals likely sought treatment for:

• Physical therapy services
• Rehabilitation medicine
• Pain management
• Musculoskeletal conditions
• Post-injury recovery programs

Patients affected by this breach should have received direct notification from the healthcare provider explaining the incident and outlining steps being taken to address the situation.

Breach Details

Based on the information reported to federal regulators, here are the key details:

• Entity Name: NHPP Physical Medicine and Rehabilitation
• Location: New York State
• Individuals Affected: 1,353 patients
• Breach Type: Unauthorized Access/Disclosure
• Date Reported to HHS: May 23, 2025
• Patient Notification Date: June 5, 2025
• Business Associate Involvement: None
• System Location: Other (not specified as email, network, or portable device)

The breach falls under 45 CFR § 164.402 of the HIPAA Security Rule, which defines a breach as the "acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule."

What This Means for Patients

This unauthorized access incident represents a serious HIPAA violation that potentially exposed sensitive medical information. While specific details about the type of data accessed remain undisclosed, typical physical medicine and rehabilitation records may contain:

• Patient names and contact information
• Social Security numbers
• Insurance information
• Medical diagnoses and treatment plans
• Physician notes and assessments
• Billing and payment records
• Emergency contact details

The exposure of such information creates several risks for affected patients:

Privacy Violations

Unauthorized access to medical records represents a fundamental breach of patient privacy rights protected under HIPAA's Privacy Rule (45 CFR § 164.502).

Identity Theft Risk

If personal identifiers like Social Security numbers were accessed, patients face increased risk of identity theft and fraudulent account creation.

Medical Identity Theft

Criminals may use stolen health information to obtain medical services, prescription drugs, or file fraudulent insurance claims.

Legal Investigation

National law firm Federman & Sherwood has announced they are investigating this breach for potential data breach litigation and consumer protection claims, suggesting the incident may have significant legal ramifications.

How to Protect Yourself

If you are among the 1,353 affected patients, take these immediate steps:

Monitor Your Accounts

• Review medical bills and insurance statements carefully
• Check credit reports from all three major bureaus (Equifax, Experian, TransUnion)
• Monitor bank and credit card statements for unauthorized transactions

Protect Your Identity

• Consider placing fraud alerts on your credit files
• Evaluate credit freezes if you're particularly concerned about identity theft
• Update passwords for healthcare portals and insurance accounts

Stay Vigilant for Medical Identity Theft

• Review Explanation of Benefits (EOB) statements from insurance
• Verify all medical services listed match treatments you actually received
• Report suspicious medical charges immediately to your insurance provider

Document Everything

• Keep records of all communications regarding the breach
• Save copies of breach notification letters
• Track any time spent addressing breach-related issues

Prevention Lessons for Healthcare Providers

This incident highlights critical cybersecurity challenges facing healthcare organizations. The breach serves as a reminder that medical practices must implement robust security measures:

Technical Safeguards

• Access controls limiting who can view patient records
• Audit logs tracking all system access and data modifications
• Encryption for data at rest and in transit
• Regular security assessments and vulnerability testing

Administrative Safeguards

• Employee training on HIPAA compliance and cybersecurity
• Incident response procedures for rapid breach detection
• Business associate agreements with proper security requirements
• Risk assessment programs identifying potential vulnerabilities

Physical Safeguards

• Facility access controls protecting computer systems
• Workstation security preventing unauthorized access
• Device and media controls for portable storage and devices

Under 45 CFR § 164.308, covered entities must implement administrative, physical, and technical safeguards to protect electronic PHI. This breach suggests potential gaps in one or more of these required security areas.

Regulatory Response and Compliance

The HHS Office for Civil Rights will likely investigate this incident to determine:

• Root cause analysis of how the breach occurred
• Adequacy of existing security measures at NHPP
• Timeliness and completeness of breach notifications
• Potential HIPAA violations and associated penalties

HIPAA violations can result in significant financial penalties ranging from $100 to $50,000 per violation, with annual maximums reaching $1.5 million depending on the level of negligence involved.

Moving Forward

This breach affecting NHPP Physical Medicine and Rehabilitation patients underscores the ongoing cybersecurity challenges facing healthcare providers. As medical practices increasingly digitize patient records and rely on interconnected systems, the attack surface for potential breaches continues to expand.

Patients should remain vigilant about protecting their personal health information while advocating for stronger security measures from their healthcare providers. Healthcare organizations must prioritize cybersecurity investments and HIPAA compliance to maintain patient trust and avoid costly regulatory penalties.

The investigation by Federman & Sherwood may provide additional insights into the scope and impact of this breach as more details emerge through the legal process.

Learn how HIPAA Agent can help protect your practice.