Will Beacon Health Solutions’ incident prompt OCR to start enforcing notification “without undue delay?”
The following is a DataBreaches.net commentary.
Beacon Health Solutions issued a press release yesterday about a breach they experienced last year as a business associate. Their press release provides a useful example of why OCR needs to get serious about enforcing the requirement that entities notify patients within 60 days of “discovery.” “Discovery” does not mean when an entity finally finishes figuring out whom to contact. “Discovery” means the date that a covered entity knows, or by reasonable diligence should have known, that a breach of unsecured PHI has occurred. The entity then has an obligation to notify the relevant parties (individuals, HHS and/or the media) “without unreasonable delay” or up to 60 calendar days following that date. As applied to a business associate,
§ 164.410 Notification by a business associate.
(a) Standard –
(2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).
(b) Implementation specifications: Timeliness of notification. Except as provided in § 164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
Keep that in mind as you read Beacon Health Solution’s press release, issued yesterday:
TAMPA, Fla., April 21, 2021 /PRNewswire/ — On October 5, 2020, Beacon Health Solutions, LLC (“Beacon”) experienced a data security incident that prevented users from accessing systems and data. Upon discovering this incident, Beacon immediately launched an investigation and engaged a digital forensics firm to help determine what happened and what information may have been accessed. On January 29, 2021, Beacon determined that personal information and protected health information belonging to certain individuals was acquired without authorization as part of the incident.
But January 29 is not the date of “discovery,” despite what their notice might want you to believe. On November 3, DataBreaches.net contacted Beacon to inquire about the breach, which had already been posted on the Sodinokibi threat actors’ leak site. Getting no reply, DataBreaches.net emailed Beacon again on November 6 after REvil started dumping some of Beacon’s data on their site. Again, Beacon did not reply. On November 9, DataBreaches.net reported the breach as part of a series of ransomware attacks in a report about timely notification called “Without Undue Delay.”
On December 26, DataBreaches.net reached out to Beacon Health Solutions again — this time to Michael Friel, HIPAA Compliance Officer. That email said, in part:
I contacted Beacon Health Solutions on Nov. 3 and on Nov 6 and got no response to either inquiry about the ransomware attack claimed by REvil (Sodinokibi) threat actors.
It is now more than 60 days (and possibly more than 90 days?) since the threat actors attacked Beacon. Looking at their partial data dump, I see thousands of patients’ protected health information (PHI), from a number of your clients like OPTUM and HTA, as well as thousands of scans from your Lubbock mailroom. I also see appeals over denial of benefits, and files with EDI.
What I don’t see anywhere is where Beacon Health has issued any notification of this breach. Where is the disclosure and notification? Have I missed it somewhere? Please email me a copy of your disclosure/notice or point me to the url where it appears. Or if you haven’t issued any, please explain why you haven’t.
The following screencaps are listings of just some of the data the threat actors had dumped prior to that December 26 email from this site to Beacon. They are redacted by DataBreaches.net for this publication but were not redacted on the threat actors’ leak site.
Once again, Beacon did not respond.
On January 5, DataBreaches.net posted an update to the report, noting that in the interim Beacon Health Solutions had reported the breach to HHS on December 11, but had still not posted any notice or substitute notice.
Did they notify their clients (covered entities) on December 11, too? Their press release does not say.
And yet now, in April, they claim that “On January 29, 2021, Beacon determined that personal information and protected health information belonging to certain individuals was acquired without authorization as part of the incident.”
On January 29? Seriously? OCR should not accept any claim that discovery was any time after the threat actors had already dumped proof and ePHI.
But to continue with Beacon’s press release, they now report:
The types of information potentially accessed varied by individual, but may have included name, address, Social Security number, driver’s license, medical information, and health insurance information. The specific types of medical information and/or health insurance information that may have been accessed include Member/Medicaid ID numbers, treatment/diagnosis information, dates of service, provider name(s), patient account number(s), and medical record number(s).
Beacon reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable. Impacted individuals were notified beginning on April 20, 2021. The notification included information about this incident and measures that can be taken to protect personal information and protected health information, including free identity monitoring and recovery services. To enroll in these services, affected individuals must call the toll-free number: 1-833-416-0905. Further information can be obtained at www.beaconh.com.
About Beacon Health Solutions, LLC:
Beacon is a third-party administrator (“TPA”) for managed care plans headquartered in Tampa, Florida.
SOURCE Beacon Health Solutions, LLC
Beacon reported this incident to HHS on December 11 as impacting 500 patients. DataBreaches.net believed that the number was inaccurate based on the data the threat actors had already dumped. In fact, the threat actors claimed to have exfiltrated 600 GB of data: “the most important information of the company, personal data, financial documents, clients ssn, bank documents, phone records.” Most of the data, if they did exfiltrate it, has not been dumped on their leak site. So where is it and what happened to it? Has it been sold privately on the dark web? Will it be dumped at some later date?
Why did it take from October 5 when the firm realized it had suffered a cyber attack until April 20 to start notifying patients and to offer them mitigation services when their data was freely available on the dark web for months? Does the notification to patients even tell them that some of the data was dumped publicly — and remains on a dark web site — freely available to everyone?
This incident is exactly the type of situation DataBreaches.net has been blogging about since last year — the need for notification of patients without undue delay. This blogger thinks that Beacon Health Solutions’ delay in notification to patients is unconscionable, although as some would likely point out, the duty to notify patients rests with the covered entity, not the business associate. So when were the covered entities informed, and when were they given the information needed to make notifications? We cannot give business associates 60 days to notify covered entities and then give covered entities another 60 days to notify patients. Too much harm can accrue to patients in four months.
As of today’s date, the incident still appears on HHS’s public breach tool as impacting 500 patients. The report appears to still be open, so hopefully, HHS/OCR will investigate this one. While we can all feel some sympathy for entities or business associates that are the victims of a cyberattack, we must reserve even more concern for the patients who trusted the entities with their personal and protected health information. They should not be left in the dark for 6+ months when their information is already in the hands of criminals and may be circulating online.
This post was corrected to reflect 6+ months and not 7 months since the entity’s recognition that they had experienced a data security incident.