On November 4, Maxim Healthcare Group, including Maxim Healthcare Services and Maxim Healthcare Staffing (collectively “Maxim Healthcare”) issued a press release about a breach — a press release they describe as issued “out of an abundance of caution.” That sounds like they had an option not to disclose. I would think that they were required to make notification as a matter of law, but their lawyers might disagree with my non-lawyerly opinion.
According to their press release, on or about December 4, 2020, Maxim Healthcare became aware of unusual activity related to several employees’ email accounts. Investigation revealed that unauthorized access to some accounts had occurred between October 1, 2020 and December 4, 2020.
Beyond that determination, however, Maxim was unable to determine which email messages or attachments had been accessed, so the investigators inspected all messages and attachment to determine what could potentially have been accessed.
The types of personal information that may have been accessible to an unauthorized actor include: name, address, date of birth, contact information, medical history, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid number, and username/password. For a limited number of individuals, Social Security number may also have been accessible.
As part of their response to this incident, Maxim Healthcare “instituted additional security protocols, including implementation of Multi-Factor Authentication for all email accounts, and transitioned to a new Security Operations Center with advanced detection and response capabilities.”
Had they deployed MFA before this incident, would they have been successfully attacked?
Will HHS accept their timeline as to why, when they first discovered a problem in December 2020, it took until November 2021 to notify patients? Does the “no later than 60 days” really have any meaning or teeth if HHS never enforces it? Why did it take until August 24 to get the review of email contents? Should it be viewed as unacceptable and violative of HIPAA and HITECH to take this long to notify patients?
If these criticisms sound harsh or unfair, well, if your information might be in the hands of criminals and the entity you trusted with your information can’t even determine that, would you be okay not being informed for 11 months?
HHS OCR tends to use a somewhat non-punitive approach to working with entities when HHS investigates breaches. If that hasn’t worked to decrease the number of breaches because entities are still not deploying basic precautions like MFA, maybe it’s past time for HHS to take the velvet gloves off and start imposing some corrective action plans with monetary penalties — even if the penalties are not large.
Updated Nov. 9: The breach was reported to HHS as impacting 65,267 patients.