“Without Undue Delay,” Friday edition
The Jacobson Memorial Hospital & Care Center had a breach last year that they are first disclosing this week. Here’s the chronology, based on a statement from their external counsel:
- July 28, 2020 — One employee’s email account is compromised and used to send out spam.
- August 5, 2020 — Hospital manages to kick bad actor out of their system; hires forensics firm to investigate scope.
- August 25, 2020 — Forensic investigation confirms single account was compromised. Hospital hires another vendor to search compromised account for PII/PHI.
- September 27 — Search completed. Working with vendor, hospital commences manual review of emails.
- December 31, 2020 — Results of manual review received.
- February 23, 2021 — Notifications made to 1,545 patients.
Given that chronology, the hospital may claim that notification was made within 60 days of discovery. But the reality is that it is more than 6 months since the breach was first recognized/discovered. Here’s another example:
On June 1, 2020, Cornerstone Care became aware of suspicious activity associated with a corporate email account. A statement by their external counsel explains that they then began an internal investigation and hired independent computer forensic investigators to assist. After determining that it was (just) the one email account, the forensic investigator then “conducted an in-depth review of the email account to determine what Protected Health Information
(“PHI”) may have been included, and to extract contact information of potentially affected individuals. On January 13, 2021, that review was completed, and the list of potentially impacted individuals was provided to Cornerstone. Cornerstone then made notifications to 11,487 patients on February 25, with date of discovery listed as January 13, 2021. But of course, the breach was first detected on June 1, 2020.
And yet more recent examples where notification is made months after a breach is discovered:
- As previously reported on this site, Enders Insurance first notified people this month of a breach that occurred last April and was first discovered last May.
- Gore Medical Management disclosed that they had notified 79,100 patients of a breach that they were alerted to by the FBI back in November, 2020.Their statement does indicate when the breach actually occurred — only when they first learned of it from the FBI.
- And as previously reported this week, Fisher-Titus Medical Center is notifying patients whose PHI was potentially compromised when an employee’s email account was breached last August. The breach was detected in October. If there is a notification on their web site, it’s not easy to find.
When you compare these gaps between breach, “discovery” and notification to requirements under other countries’ laws that notification be made within 72 hours, maybe it’s time for HHS and Congress to consider whether the definition of “discovery” and the “60 days” window to notify “without undue delay” provisions need to be amended.
Update: Here’s another example of what I think is a too-long gap. This is from a press release posted today by Summit Behavioral Healthcare in TN:
Beginning in late May of 2020, Summit Behavioral Healthcare, LLC (“SBHC”) noticed suspicious activity associated with the personal information of SBHC employees, which prompted a forensic investigation into certain email accounts. SBHC engaged a third-party digital forensics firm to handle the investigation, which determined that there may have been unauthorized access to email accounts belonging to two (2) SBHC employees. On January 21, 2021, the investigation concluded that the impacted email accounts contained protected health information (“PHI”) belonging to some of its patients.