The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts (PROMESA) discloses 2020 data breach
Is there anyone who thinks this timeline/delay to notification is just fine?
On July 17, 2020, Acacia determined that an unauthorized person gained access to certain employee email accounts for a limited time between June 6, 2020 and June 12, 2020.
Their investigation was inconclusive as to whether anyone accessed the emails and attachments in the accounts, so they reviewed every email. Unsurprisingly, they found protected health information.
PROMESA began notifying 30,220 patients on Feb. 22, 2022.
July 17, 2020 to February 22, 2022 is 585 days to notification.
When, oh when, is HHS either going to do some serious enforcement of the “no later than 60 calendar days” provision or seek amendment of the notification timeline requirements?