Security News > 2020 > January > Health Data Breach Not Reported for Seven Months
Under HIPAA, covered entities are required to report breaches impacting protected health information within 60 days of discovering the breach.
In its breach notification statement, PIH Health says that on June 18, 2019, it learned that certain PIH Health employee email accounts had potentially been accessed without authorization as a result of a targeted phishing campaign.
"PIH Health then worked diligently to identify contact information for all potentially affected individuals in order to provide them with notice of the incident." The incident was then reported to HHS nearly two months later.
"We don't yet know why PIH Health took four months to understand the June attack was a breach of unsecured PHI, or took almost two more months to report the breach to OCR," notes independent HIPAA attorney Paul Hales.
The HITECH Act mandates that covered entities notify individuals of a health data breach without unreasonable delay but in no case later than 60 days from the discovery of the breach, except where law enforcement has requested a delay.
News URL
https://www.inforisktoday.com/health-data-breach-reported-for-seven-months-a-13652
Related news
- Dutch Police: ‘State actor’ likely behind recent data breach (source)
- Comcast and Truist Bank customers caught up in FBCS data breach (source)
- Internet Archive hacked, data breach impacts 31 million users (source)
- Internet Archive data breach, defacement, and DDoS: Users’ data compromised (source)
- Fidelity Investments says data breach affects over 77,000 people (source)
- Fidelity Data Breach Exposes Data of Over 77,000 Customers (source)
- USDoD hacker behind National Public Data breach arrested in Brazil (source)
- Tech giant Nidec confirms data breach following ransomware attack (source)
- Insurance admin Landmark says data breach impacts 800,000 people (source)
- Henry Schein discloses data breach a year after ransomware attack (source)