Skip to main content
photo of physical rehabilitation exercise

Upstream Rehabilitation Data Breach Investigation

The Lyon Firm is representing plaintiffs nationwide in a variety of data privacy litigation, including data breach events that put victims at risk of fraud and identity theft. We are currently investigating the Upstream Rehabilitation data breach incident that may have leaked the Social Security numbers and other personal data of thousands of individuals.

Upstream RollCo LLC has begun sending out data breach notification letters to impacted clients after a data security incident may have impacted the personal data of certain individuals. Attorneys General across the country nave been notified. Upstream has recently provided details of the data breach event to affected individuals, a supplement to information that Upstream provided back in April 2023.

What Happened?

Upstream discovered suspicious activity on their employee email accounts and began an investigation into the nature and scope of the attack. The investigation concluded that certain sensitive files stored within the email accounts may have been accessed by an unauthorized party in January and early February of 2023.

The Upstream Rehabilitation personal information potentially compromised varies by individual, and may include the following types of personal information:

  • Name
  • Date of birth
  • Contact information
  • Demographic information
  • Medical information
  • Health insurance information
  • Social Security number

About Upstream RollCo

Upstream RollCo LLC is a healthcare services company based in Birmingham, Alabama, providing outpatient rehabilitation services. The company operates free-standing physical therapy clinics, outpatient rehabilitation management services and a network of rehabilitation service providers.

Can I File an Upstream Data Breach Claim?

If you have received a data breach notice from the company, contact our legal team to discuss your next steps in protecting yourself and seeking compensation for damages. When companies that collect and store your personal data, and fail to properly protect that information, they may be liable for any losses incurred.

The HIPAA Breach Notification Rule dictates that the proper notifications to be issued to the HHS no more than 60 days after the date of discovery of the security breach at hand. Our attorneys have seen impacted organizations wait as long as possible before alerting impacted individuals, an unfortunate habit that places consumers at risk of identity theft and fraud.

Delays to healthcare data theft notifications could result in Upstream clients personal data going unprotected for months before the victims are even aware about the data breach event. Our lawyers believe promptly sending out data breach notification letters and being transparent about the security risks for individuals is essential.

The HHS has also stated that if any healthcare entity does not comply with the 60-day rule, they may be liable for notification violations and further fines.