KS: Labette Health discloses October, 2021 data security incident
Labette Health in Kansas has started notifying employees and patients of a data security incident.
According to a statement on their website, an investigation determined that unauthorized individual(s) potentially accessed and acquired information from portions of their network between October 15, 2021 and October 24, 2021.
It appears that it took them four months from the time of the attack until they determined what was accessed and whose files were accessed or acquired:
On February 11, 2022, following an extensive review and analysis of the data at issue, Labette Health determined that certain files and folders that may have been accessed or acquired contained identifiable personal and/or protected health information of employees and certain patients who received services from Labette Health, including the individuals’ full name and one or more of the following (to the extent it resided on Labette Health’s system): Social Security number, medical treatment and diagnosis information, treatment costs, dates of service, prescription information, Medicare or Medicaid number, and/or health insurance information. This incident does not affect all patients of Labette Health and Labette Health does not necessarily maintain all of the information listed above for all patients.
Labette Health’s statement indicates that it has no evidence to suggest that any information has been misused, and as of the time of this publication, DataBreaches.net has not seen any indication that data from this incident have been dumped on any leak site (but of course, some threat actors do not dump data until many months later, so vigilance is required). Disturbingly, once again, we see language that suggests notification is voluntary when it appears to be actually required:
However, out of an abundance of caution, on March 11, 2022, Labette Health sent written notification to anyone whose information may have been contained in the impacted files and folders and for whom it had enough information to determine a physical address.
“…out of an abundance of caution”? Entities are required to notify patients under these circumstances. In this blogger’s opinion, entities should not be suggesting that they are going above and beyond their obligations when they are actually just complying with what HIPAA and HITECH require of entities when they cannot provide compelling evidence that would make notification optional or unnecessary.
You can read their full website notice here.
This incident has not yet appeared on HHS’s public breach tool, so we do not yet have any number affected by this incident.