– Navicent Health, the second-largest hospital in Georgia, is notifying patients that their personal data was potentially breached after a cyberattack on its employee email account system.
According to the notice, officials first discovered an unauthorized third-party gained access to its employee and hosted email accounts in July 2018. An investigation was launched into the security incident with help from an outside forensics security firm to determine what patient information was compromised in the attack. Law enforcement was also notified.
The investigation concluded on January 24, which determined the accounts contained patient names, dates of birth, addresses, and limited medical data, like billing and appointment information. Some patients’ Social Security numbers were compromised in the attack; those patients will receive a year of free identity theft protection services.
Officials said they don’t know if any of the data was viewed or acquired by the hacker. Further, they could not “isolate exactly what, if any, information may have been obtained.” However, the cyberattack was limited to employee email accounts and did not impact Navicent’s network or EHR system.
Navicent is currently evaluating additional platforms, educating employees, and reviewing its technical controls. Officials did not explain if the review caused a delay in breach reporting, given the attack happened nearly eight months ago.
Under HIPAA, covered entities and business associates are required to report a breach within 60 days of first discovering the incident. The Department of Health and Human Services have settled with several health organizations in recent years for failing to timely report a breach.
In 2017, Presence Health became the first provider to settle with the Office for Civil Rights over a lack of timely breach notification. The Illinois-based provider paid OCR $475,000, as a result of that failure, despite the fact just 836 patients were impacted.
Despite the settlement and HIPAA rule, there have been several breach notifications in recent months where timeliness has been a factor. The largest, Wolverine Solutions Group, has been rolling out notifications to its providers since a ransomware attack breached its network in September 2018.
The third-party vendor explained that the investigation was ongoing since the initial attack, which caused the “rolling breach notifications” as officials attempted to determine just what clients and information were involved. In total, Michigan’s Attorney General estimated that about 600,000 patients were impacted by the attack.