– In recent weeks, a number of HIPAA-required notifications from covered entities and business associates have reported patient data breaches that occurred in 2020: Beacon Health Solutions, Planned Parenthood of Metropolitan Washington, DC, VEP Healthcare, and Administrative Advantage.
However, under HIPAA, covered entities and relevant business associates are required to report data breaches impacting more than 500 patients within 60 days of discovery—not at the close of an investigation.
As exhaustively reported by HealthITSecurity.com, HIPAA explains in great detail that a breach is determined “discovered” by the entity through reasonable diligence: “the ‘business care and prudence expected from a person to satisfy a legal requirement under similar circumstances.’”
That means that even when an investigation is ongoing, the Office for Civil Rights does not make an exception to the timeline. In fact, the only exception to the rule is when it’s requested by law enforcement.
“Timing begins on when it is known, not when the investigation is complete — even if it is initially unclear whether the incident constitutes a breach as defined in the rule,” renowned healthcare attorney with Clark Hill Strasburger, Corinne Smith, previously explained. “The 60 days are an outer limit and in some cases it may be an unreasonable delay to wait 60 days.”
“It’s not a good idea to wait until your forensics investigation is complete before thinking about providing notice,” she continued. “It’s best to run parallel tracks – one preparing to notify patients and the other running the investigation.”
Beacon Health Reports Data Breach From October 2020
An undisclosed number of patients are being notified that their health information and personal data was compromised and acquired in October 2020, after a security incident at Beacon Health Solutions.
Florida-based Beacon Health is a third-party administrator for managed healthcare plans.
On October 5, the business associate “experienced a data security incident” that prevented access to its data and systems. An investigation led with assistance from an outside digital forensics firm concluded on January 29, 2021.
The review determined both personal and protected health information was acquired during the incident. The impacted data varied by patient but could include patient names, contact details, Social Security numbers, driver’s licenses, and health insurance information.
Medical data was also compromised or stolen during the incident and could include Member or Medicaid ID numbers, treatments, diagnoses, dates of service, provider names, patient account numbers and medical record numbers.
The notice does not provide further information on just what occurred, nor why Beacon Health waited more than five months to notify patients that their data had been stolen by hackers.
Planned Parenthood of Washington, DC Reports September 2020 Breach
An undisclosed number of patients of Planned Parenthood of Metropolitan Washington, DC (PPMW) were recently notified that their data was acquired during a security incident nearly six months ago in September 2020.
Unusual network activity was discovered on September 3, 2020, and PPMW took steps to secure the system. An investigation was launched with assistance from a third-party cybersecurity team, which concluded on October 21, 2020.
The team found that a hacker first gained access to the network on August 27, 2020 and concluded more than a month later on October 8, 2020. During that time, the attacker stole copies of patient-related documents.
The stolen data varied by individual and could include names, dates of birth, contact information, medical record numbers, provider names, dates of service, diagnoses, treatments, and or prescription information.
For some patients, health insurance details, financial account information, and SSNs were also part of the acquired data. These patients will receive free complimentary credit monitoring and identity theft protection services.
PPMW did not explain the reason for the months-long gap between the breach’s discovery and the patient notifications. The health clinic is continuing to work with law enforcement.
VEP Healthcare Reports Phishing Incident From 2020
A phishing attack on California-based VEP Healthcare led to the compromise of several employee email accounts in 2020 and resulted in the compromise of some patient data.
VEP Healthcare is a business associate that provides emergency and hospital staffing management services and staffing for urban trauma centers and community hospitals.
The notice does not detail when the incident was first detected. But upon discovering the email-related incident, VEP launched an investigation with support from outside cybersecurity professionals that concluded on March 21, 2021.
A manual review determined that an attacker gained access to the accounts for about two months, between November 15, 2019 and January 20, 2020. The notification does not outline the impacted data, just that the accounts contained “personal information.”
VEP has since bolstered its email security, updated security policies and procedures, and provided employees with further security training. Officials said they’re also in the process of implementing two-factor authentication.
Third-Party Vendor Incident Impacts Remedy Medical Group
Some patient data belonging to Remedy Medical Group in California was compromised last year, after an email hack against its billing support services vendor, Administrative Advantage (AA).
Unusual activity was discovered on an AA employee email account in July 2020. Working with third-party computer specialists, AA determined the impacted email account was accessed by a hacker for several weeks between June 23, 2020 and July 9, 2020.
The account contained certain information received from its client providers, but AA could not conclusively determine whether the attacker accessed the information.
The affected data varied by individual but could include names, SSNs, financial accounts, driver’s licenses, state IDs, credit cards, expiration dates, and CVVs, passports, electronic signatures, credentials, medical record numbers, Medicare or Medicaid numbers, treatment locations, diagnoses, health insurance information, lab results, and other treatment data.
Impacted patients will receive identity theft protection services. AA is currently reviewing its existing security policies and procedures and conducting further employee training to reduce risk to the enterprise.
Malware Attack on American College of Emergency Physicians
About 70,349 former and current members of the American College of Emergency Physicians are being notified that their data was compromised during a months-long malware attack in 2020.
ACEP provides professional organization services to members and healthcare organizations, including the Emergency Medicine Foundation, Emergency Medicine Residents’ Association, and the Society for Emergency Medicine Physician Assistants.
On September 7, 2020, the security team first detected unusual activity on its systems. A forensics review of the incident found that an attacker compromised credentials by hacking a separate server that stored SQL database credentials.
The credentials allowed for unauthorized access to the members’ data for more than five months, between April 8, 2020 and September 21, 2020. The investigation could not rule out access to the data stored on the servers.
The affected information includes member, customer, or donor details, including contact details, SSNs, and or usernames or email addresses and hashed passwords. No patient or health information was involved in the incident.
ACEP has since rebuilt the impacted server and issued a password reset, in addition to implementing further security measures.
Accellion Breach Tally Includes Memorial Sloan Kettering Cancer Center
Memorial Sloan Kettering Cancer Center (MSK) recently notified 1,893 patients that their data was included in the massive compromise of third-party service vendor Accellion.
First reported in February, threat actors exploited several unpatched vulnerabilities in Accellion’s File Transfer Appliance (FTA) and stole a trove of sensitive information in a widespread extortion campaign.
A wide range of companies were impacted by the incident, including those in the medical, financial, legal, energy, and telecommunications sectors. Centene, Trillium Community Health Plan, the Southern Illinois University School of Medicine, and Kroger were also among the healthcare victims.
Accellion informed MSK on January 23 that its document-sharing systems were included in the incident, which allowed the attackers to access and copy a subset of electronic documents stored on the system.
The investigation determined the access occurred January 20 to January 22, resulting in the unauthorized access of documents that contained the personal health information of some MSK patients.
The affected information varied by patient and could include names, dates of birth, contact information, test results, and treatments. For just three patients, SSNs or financial information was also compromised.
MSK continues to have access to all documents stored on the impacted system but will not be putting the Accellion FTA back into service.