On August 8, Columbia River Mental Health Services (“CRMHS”) in Washington State notified HHS about a data security breach involving some employee email accounts.

A press release about the incident claims that CRMHS recently became aware of suspicious activity related to email accounts. They do not state exactly what they mean by “recently.”

An investigation revealed that there had been unauthorized access to some email accounts from May 14, 2021 to April 8, 2022.

CRMHS claims that on July 6, they became aware that protected health information was involved, and that they would be providing notice “in an abundance of caution” when their investigation concludes because the investigation could not confirm that information relating to specific individuals was actually accessed.

As of August 8 when their press release was issued, CRMHS had not yet begun mailing notification letters, and did not even seem to know exactly how many patients they were notifying, reporting the incident to HHS as affecting 501 patients, which is usually a marker for more than 500 but exact amount as yet unknown.

The full press release can be found at PRNewswire.

There seems to be a number of problems that HHS should investigate about this incident, including:

1. Why did it take from May 2021 until April 2022 to discover a breach?
2. HOW did they first discover or learn of the breach?
3. Notification was required no later than 60 days after discovery or when discovery would be reasonable. Assuming for now that CRMHS learned in April or thereabouts, then notification was to HHS and patients was due in June, not August 8 or later.
4. The notice does not indicate what kinds of information were in the affected employee accounts.

There will likely be updates to this one at some point.