Tardy Breach Notification Raises EyebrowsClinic Notifies HHS in April of January Incident, Then Waits Months to Tell Individuals
It's no secret that the detection of a security incident often takes weeks, months or, in extreme cases, years. But under HIPAA, once a breach involving protected health information is discovered, covered entities must notify affected individuals within 60 days.
So why did an Atlanta-based medical specialty practice apparently wait up to seven months to notify thousands of individuals affected by a security incident it says it "identified" in January?
In a notice posted on its website, Atlanta Allergy & Asthma says that on Aug. 20, it began notifying affected individuals of an unauthorized access incident that apparently occurred in January.
But the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, shows that the Atlanta practice reported the hacking incident to HHS' Office for Civil Rights on April 5, saying it had affected nearly 9,900 individuals.
"AAA identified unauthorized access to its network between Jan. 5 and Jan. 13, 2021," the practice says in the undated notice posted on its website.
"Based on its comprehensive investigation and document review, AAA discovered on July 8 that certain individual information was removed from its network in connection with this incident, including full names and one or more of the following: dates of birth, Social Security numbers, financial account numbers and/or routing numbers, diagnoses, treatment information and costs, procedure types, provider names, treatment location, dates of service, patient account numbers and/or health insurance information," the statement says.
"To date, AAA is not aware of any reports of identity fraud or improper use of any information as a direct result of this incident. AAA is providing notification of this incident to impacted individuals, commencing on August 20."
Under the HIPAA Breach Notification Rule, "individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach."
The rule states notifications must include, "to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity or business associate, as applicable."
The circumstances of the Atlanta practice's breach notification "are puzzling," says regulatory attorney Paul Hales of the Hales Law Group.
"AAA apparently discovered the breach … at least by Jan. 13, 2021, but waited to begin notifying affected individuals until August 20 - far later than the 60-day window required by HIPAA," he says. "HIPAA defines a breach as unauthorized access to PHI. On Jan. 13, AAA’s 60-day breach notification clock started to run."
On April 5, the Atlanta practice notified HHS of the breach and the exact number of affected individuals, he notes.
"AAA may be trying to claim that it only discovered the individuals affected by the breach on July 8. That would put an August 20 notification within the 60-day notification envelope. But how and why did it inform HHS on April 5 that the breach affected precisely 9,851 individuals?"
Data exposed in the breach could enable medical identity theft, "the fastest-growing type of identity theft in the U.S," Hales says. "Medical identity theft poses risks to patient safety as well as to their financial well-being."
Hales also points out that the notice posted on the practice's website makes no mention that notification was delayed at the request of law enforcement officials.
The Atlanta practice did not immediately respond to Information Security Media Group's request for comment.
Privacy attorney Iliana Peters of the law firm Polsinelli notes that the process of identifying all of the indicators of compromise in a security incident, as well as all of the affected individuals, "is often incredibly complicated and resource-intensive."
That is particularly the case if there are many different files, devices or systems impacted by a security incident and many different individuals, including employees, patients and guarantors, affected by a breach, she says.
"Without additional detail, it’s very hard to say what the issues are with any specific breach," adds Peters, a former senior official at HHS OCR.
Federal regulators have imposed penalties following a handful of incidents involving delayed breach notification.
In January 2017, HHS OCR hit Illinois-based Presence Health with a $475,000 HIPAA settlement and corrective action plan in the agency's first enforcement action involving the failure to provide timely breach notification to individuals (see: $475,000 HIPAA Penalty for Tardy Breach Notification).
In that case, OCR said it received a breach notification report on Jan. 31, 2014, from Presence Health about a paper records breach discovered about fourth months earlier that had affected the PHI of 836 individuals.
“Covered entities need to have a clear policy and procedures in place to respond to the HIPAA Breach Notification Rule’s timeliness requirements," said Jocelyn Samuels, who was HHS OCR director at the time, in a 2017 statement about the settlement.
“Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach," she said.
In 2019, HHS OCR smacked Virginia-based Sentara Healthcare with a nearly $2.2 million HIPAA settlement in a case involving - among other potential violations - failure to properly notify HHS of a protected health information breach affecting 577 individuals (see: Sentara Hospitals' HIPAA Settlement: Why $2.2 Million?).
"When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR," HHS OCR Director Roger Severino said in a statement at the time.