Upstream Rehabilitation Data Breach Exposes Sensitive Personal and Health Information

Upstream Rehabilitation, recognized as the largest dedicated outpatient physical therapy provider in the United States, is grappling with the aftermath of a substantial data breach that potentially jeopardized sensitive personal identifiable information (PII) and protected health information (PHI) for an undisclosed number of individuals. This breach raises serious concerns about data security within the healthcare sector and could have profound implications for the patients affected.

Upstream Rehabilitation, operating under Upstream Rollco, LLC, has built a reputation as a prominent outpatient physical therapy and rehabilitation provider. With a network of over 1,200 physical and occupational therapy clinics spanning 28 states, the company serves more than 7 million patients annually. Their comprehensive services include outpatient rehabilitation, occupational therapy, managed healthcare services, sports medicine, and industrial services. Headquartered in Birmingham, Alabama, Upstream Rehabilitation boasts a workforce of over 10,000 dedicated employees.

Did you receive notice from Upstream Rehabilitation Physical Therapy that your information was breached?
Do you still have a copy of the notice letter?

The breach came to light when Upstream Rehabilitation’s cybersecurity team uncovered unauthorized access to employee email accounts. The breach unfolded in two distinct incidents, the first occurring between January 24 and 31, 2023, followed by a second breach between February 3 and 9, 2023. Subsequent investigations revealed that during these periods, an unauthorized actor may have gained access to sensitive PII and PHI, including but not limited to names, Social Security numbers, driver’s license numbers, dates of birth, financial information, medical records, and health insurance details.

Upstream Rehabilitation responded promptly by launching an in-depth internal investigation and swiftly implementing measures to bolster their system’s security. The company has initiated contact with individuals whose information may have been affected, aiming to provide them with support and guidance.

As of September 15, 2023, Upstream Rehabilitation has begun the process of notifying potentially impacted individuals, extending assistance to help safeguard their personal and financial information. The company is committed to ensuring that those affected have access to the necessary resources to monitor and protect their data.

In response to the breach, Upstream Rehabilitation has enlisted the expertise of cybersecurity professionals to conduct a comprehensive evaluation of their systems and enhance security measures. They are also cooperating with law enforcement agencies in their investigation into the breach.

Data breaches involving sensitive PII and PHI are a growing concern, especially within the healthcare industry, where patient confidentiality is paramount. The potential exposure of personal information, such as Social Security numbers and medical records, can have severe consequences for individuals, including identity theft and fraud.

This incident serves as a stark reminder of the importance of robust cybersecurity measures, not only for healthcare providers but for all organizations that handle sensitive personal information. As cyber threats continue to evolve, it is imperative that companies remain vigilant and proactive in safeguarding their data and the data of their clients and customers.

The Upstream Rehabilitation data breach underscores the ongoing cybersecurity challenges faced by organizations across various sectors. As investigations continue and affected individuals are notified, it is hoped that steps taken by Upstream Rehabilitation will help mitigate the impact of this breach and reinforce the need for improved data security practices in the healthcare industry and beyond.