Security News > 2020 > January > Health Data Breach Not Reported for Seven Months
Under HIPAA, covered entities are required to report breaches impacting protected health information within 60 days of discovering the breach.
In its breach notification statement, PIH Health says that on June 18, 2019, it learned that certain PIH Health employee email accounts had potentially been accessed without authorization as a result of a targeted phishing campaign.
"PIH Health then worked diligently to identify contact information for all potentially affected individuals in order to provide them with notice of the incident." The incident was then reported to HHS nearly two months later.
"We don't yet know why PIH Health took four months to understand the June attack was a breach of unsecured PHI, or took almost two more months to report the breach to OCR," notes independent HIPAA attorney Paul Hales.
The HITECH Act mandates that covered entities notify individuals of a health data breach without unreasonable delay but in no case later than 60 days from the discovery of the breach, except where law enforcement has requested a delay.
News URL
https://www.inforisktoday.com/health-data-breach-reported-for-seven-months-a-13652
Related news
- Amazon confirms employee data breach after vendor hack (source)
- HIBP notifies 57 million people of Hot Topic data breach (source)
- US space tech giant Maxar discloses employee data breach (source)
- Fintech giant Finastra investigates data breach after SFTP hack (source)
- Bologna FC confirms data breach after RansomHub ransomware attack (source)
- Rhode Island confirms data breach after Brain Cipher ransomware attack (source)
- ConnectOnCall breach exposes health data of over 910,000 patients (source)
- Texas Tech University System data breach impacts 1.4 million patients (source)
- Ireland fines Meta $264 million over 2018 Facebook data breach (source)
- New fake Ledger data breach emails try to steal crypto wallets (source)