Well, hold onto your hat. There has been some recent news in the world of healthcare data breaches and not in a good way. For starters, three recent breach incidents reported involving patient data all managed to miss the Health Insurance Portability and Accountability Act (HIPAA) regulation of informing the Department of Health and Human Services (HHS) and individuals within 60 days. Yes, a whole three of them! Now isn’t that a conundrum?
Firstly, there was the Yakima Valley Radiology in Washington State. Contrary to the rules, they dilly-dallied for 196 days before breaking the news. Now, I know you are wondering 😉 They discovered the breach on August 11, 2023, yet they did a bit of a pantomime, making it seem as though they only identified the breach in late January 2024. Quite the discrepancy, yes? Mind, I’ve got no quibbles with McDonald Hopkins, the law firm involved, but their report didn’t quite set the record straight about the real discovery date. Then there’s the curious absence of this whole episode in HHS’s public breach tool.
Next up, we have the Scurry County Hospital District running the Cogdell Memorial Hospital in Texas. They fell short by 136 days, more than double the regulation timeline. Interesting to note, they had a ransomware attack in October 2023 while only informing HHS in February 2024. Of course, they used the classic excuse that although their investigation couldn’t rule out a potential data breach, there was no evidence of misuse. But don’t you worry, they’ve got an even juicier bit: It seems Lorenz, another pesky ransomware group, claimed to have gotten hold of almost 400 GB of their files and has already revealed 95% of them. But, did Cogdell tell their patients that their data was up for grabs on the dark side of the web? Guess we’ll never know, because they’re staying mum on that!
Now, our final contender in the cybersecurity faux pas pageant: The Pacific Cataract and Laser Institute in California. They were only 109 days tardy in reporting a ransomware attack around mid-November 2023, which is still quite the drag on paper. Now, according to their alibi—or perhaps their official statement, if we’re being diplomatic, they reported the HHS yet the incident has not yet surfaced on HHS’s breach tool. Sadly for them, ignorance is not bliss in the high-stakes world of data security!
Now listen closely, folks, it is indeed confounding. But was the HHS Office for Civil Rights (OCR) asleep at the wheel? The last time they imposed fines for late notifications was back in 2017 when Presence St. Joseph Medical Center in the US took 104 days to inform affected parties about a breach of paper records due to a hiccup in communication. The medical centre had to cough up a whopping $475,000 and make amends to avoid future such predicaments.
Prompt action by the OCR could have deterred similar slip-ups, yet we saw numerous delays in 2023. Don’t fret though, Protenus is set to release its annual Breach Barometer report on such snafus in the US, and I’ll wager it’ll be a bracing read. On a related note, stay tuned with us, we’ll delve into the OCR’s response —or lack thereof—to late notifications and explore how other regulators are cracking down on untimely notifications.
Ultimately, it’s a hair-raising reminder of the importance of cybersecurity, timely reporting in the healthcare sector, and above all, transparency. So, stay updated, stay involved, and definitely, stay safe out there!
by Parker Bytes
