Security News > 2021 > January > Einstein Healthcare Network Announces August Breach
Einstein Health Network, a Pennsylvania-based company operating medical rehab, outpatient and primary care centers, announced a breach of its employee email system, which exposed patient personal and medical information.
Einstein emphasized the breach didn't affect all patients, just those contained within employee email accounts.
Threatpost contacted Einstein Healthcare Network for comment but has not yet heard back.
The five-month lag in reporting the attack puts Einstein Health Network in clear violation of the Health and Human Services HIPPA Breach Notification Rule, which mandates individuals be notified "Without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity."
"As for why Einstein Healthcare failed to notify its end users within a reasonable time period, that was likely a business decision to be further removed from the time of the incident. Without more serious penalties, there is not a strong incentive to report these breaches," he said.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients.
News URL
https://threatpost.com/einstein-healthcare-network-announces-august-breach/163237/