Breach Reporting Timelines: Tale of Two Hacking IncidentsBreach Determination, Notification Is a Struggle for Some Entities - Why?
Two recently reported hacking incidents - each affecting tens of thousands of individuals - serve as contrasting examples of the wide range of time and difficulty it apparently takes for some entities to determine and report protected health information breaches.
On one end of the spectrum, The Urology Center of Colorado on Nov. 5 reported to the Department of Health and Human Services a hacking/IT incident involving a network server affecting nearly 138,000 individuals.
Based on TUCC's breach notification statement and the HHS HIPAA Breach Reporting Tool website listing breaches affecting 500 or more individuals, the Denver-based organization reported the breach to the HHS Office for Civil Rights and began to notify affected individuals on Nov. 5 - within 60 days of discovering the incident on Sept. 8, as required under the HIPAA Breach Notification Rule.
But on the other end of the spectrum, in a hacking/IT incident involving email and affecting nearly 65,300 individuals, it appears to have taken Maryland-based Maxim Healthcare Group nearly a year from the time the healthcare staffing firm says it discovered the incident in December 2020 for it to report and begin notifying affected individuals.
The HHS OCR breach reporting website shows that Maxim reported the breach on Nov. 4, which is about 11 months after the entity says it discovered the incident.
In its breach notification statement, Maxim says that "on or about" Dec. 4, 2020, it became aware of unusual activity related to several employees’ email accounts.
"Maxim Healthcare immediately began to investigate to better understand the nature and scope of this activity. The preliminary internal investigation revealed that a limited number of employees’ email accounts were accessed without authorization between Oct. 1, and Dec. 4, 2020," the entity says.
Maxim Healthcare says it worked with outside forensic specialists to determine the full scope and impact of the incident.
But the investigation was unable to determine exactly which email messages or attachments may have been accessed or viewed without authorization, Maxim notes.
"In an abundance of caution, a detailed and thorough programmatic and manual review of the contents of the email accounts was performed to determine whether sensitive information was contained in the email messages or attachments at the time of the incident," Maxim says.
Maxim adds that upon receiving the initial results of the review on Aug. 24, it "worked diligently" to locate address information for the affected individuals, completing that effort on Sept. 21.
Some experts note that long stretches between the time that a hacking incident is discovered, reviewed and then reported as a breach to regulators and affected individuals are notified can be problematic.
"It is very risky to put off breach notification until a forensic analysis can determine with certainty or precision the specific files that were compromised," says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"The HIPAA Breach Notification Rule requires that notification be made when there is a 'greater than low risk of comprise to unsecured PHI,'" he says.
In previous guidance, HHS OCR has stated that a cybersecurity incident or ransomware event is presumed to have been an unauthorized use or disclosure of PHI, Holtzman notes (see: HHS: Most Ransomware Attacks Are Reportable Breaches).
"The HITECH Act and the Breach Notification Rule provide that a breach is discovered by the covered entity when they knew or reasonably should have known of the breach," the former senior adviser at HHS OCR says.
"In this case, upon discovering that the information system on which PHI was maintained was compromised through a cybersecurity event, the breach notification clock started ticking."
The organization should have conducted an assessment to determine the risk of compromise to the data maintained in its information system, Holtzman says. "Or, presumed that all its data was compromised."
Similarly, in cases involving healthcare providers whose entire systems are locked up in a ransomware attack, the victims should reasonably assume that all PHI has been compromised, he adds.
To date, HHS OCR has only imposed HIPAA enforcement penalties following a handful of incidents involving delayed breach notification.
Those include the agency’s first such enforcement action, in January 2017, when HHS OCR hit Illinois-based Presence Health with a $475,000 HIPAA settlement and corrective action plan in a case involving the failure to provide timely breach notification to individuals.
And in 2019, HHS OCR smacked Virginia-based Sentara Healthcare with a nearly $2.2 million HIPAA settlement in a case involving - among several other potential violations - failure to properly notify HHS of a PHI breach affecting 577 individuals.
TUCC Breach Details
In its breach notification statement, TUCC says it discovered on Sept. 8 that its network may have been accessed "for a brief period" between Sept. 7 and Sept. 8.
By Oct. 30, TUCC says, it had completed its review of the incident. The HHS OCR breach reporting website shows TUCC reported the incident to HHS a few days later, on Nov. 5.
TUCC says the type of information potentially compromised varies by individual but includes name, date of birth, Social Security number, address, phone number, email address, medical record number, diagnosis, treating physician, insurance provider, treatment cost and/or guarantor name. The organization says it is offering potentially affected individuals credit monitoring and identity protection services.
Also, in the wake of the incident, TUCC says it has changed account passwords and is implementing additional security measures.
"The Urology Center of Colorado was victimized by a cyber-incident like many other organizations," TUCC says in a statement provided to Information Security Media Group.
"We took immediate and necessary steps to respond to the incident, including working with incident response specialists and notifying law enforcement. We are also notifying potentially impacted individuals and offering free identity protection services in an abundance of caution. We regret that this incident occurred and remain committed to treating our patients and protecting information in our care."
Maxim Breach Details
Maxim says the types of information that may have been affected includes name, address, date of birth, contact information, medical history, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid number and username/password.
For a limited number of individuals, Social Security numbers may also have been affected, Maxim says.
Since discovering the incident, Maxim says it has taken steps to enhance its security, including implementation of multifactor authentication for all email accounts and transitioning to a new security operations center with advanced detection and response capabilities.
Maxim Healthcare adds that it is "further committed to integrating additional cybersecurity infrastructure and security measures."
The organization says it is unaware of the misuse of any personal information that was affected by this event, but it is offering complimentary credit monitoring.
Maxim did not immediately respond to ISMG's request for additional details about the incident.