Security News > 2020 > January > Health Data Breach Not Reported for Seven Months
Under HIPAA, covered entities are required to report breaches impacting protected health information within 60 days of discovering the breach.
In its breach notification statement, PIH Health says that on June 18, 2019, it learned that certain PIH Health employee email accounts had potentially been accessed without authorization as a result of a targeted phishing campaign.
"PIH Health then worked diligently to identify contact information for all potentially affected individuals in order to provide them with notice of the incident." The incident was then reported to HHS nearly two months later.
"We don't yet know why PIH Health took four months to understand the June attack was a breach of unsecured PHI, or took almost two more months to report the breach to OCR," notes independent HIPAA attorney Paul Hales.
The HITECH Act mandates that covered entities notify individuals of a health data breach without unreasonable delay but in no case later than 60 days from the discovery of the breach, except where law enforcement has requested a delay.
News URL
https://www.inforisktoday.com/health-data-breach-reported-for-seven-months-a-13652
Related news
- 20 million Cutout.Pro user records leaked on data breach forum (source)
- Golden Corral restaurant chain data breach impacts 183,000 people (source)
- American Express credit cards exposed in vendor data breach (source)
- American Express credit cards exposed in third-party data breach (source)
- French unemployment agency data breach impacts 43 million people (source)
- 43 million workers potentially affected in France Travail data breach (source)
- Fujitsu found malware on several systems, confirms data breach (source)
- Fujitsu found malware on IT systems, confirms data breach (source)
- Fujitsu finds malware on company systems, investigates possible data breach (source)
- Yacht retailer MarineMax discloses data breach after cyberattack (source)