DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

As 2020 draws to a close, it still takes too long to detect and notify patients of most breaches

Posted on December 31, 2020 by Dissent

The press release below the separator includes the kind of timeline that we often see in breach disclosures where an employee’s email account has been hacked. It continues to take many entities too long, in this blogger’s opinion, to detect breaches of their systems, then determine that PHI was involved, and then notify.  In this case, the timeline was:

September 14 — entity discovered that unauthorized access to an employee email account had occurred on June 25. They do not tell us how they discovered it on September 14 or why they hadn’t discovered it on June 25 or immediately thereafter.

November 5 — Having apparently been reviewing the contents of the impacted email account since September 14, they determine that PHI may have been in the account.  They do not explain why it took more than one month to go through one email account to make that determination. How many people were working on this and for how many hours per day?

On December 30, they announce they have now notified those affected.

So what we have is 6 months from an incident to notification.  If you count the November 5 date as discovery of PHI impacted, they are notifying within 60 days.  But it’s 6 months since the incident, and more than 3 months since they discovered an impacted employee email account.

As I suggested at the outset of this post, this entity, SCHA, is not atypical, and I do not use this press release to call them out as horrible or worse than the average entity.  But 6 months from incident to notification does not serve patients or consumers well. Is the 60-day window/upper limit  reasonable and acceptable when stolen data may be dumped immediately after an attack, or data may be promptly misused?  What needs to change, if anything?

 

SCHA’s press release follows:


OWATONNA, Minn., Dec. 30, 2020 /PRNewswire/ — South Country Health Alliance (“SCHA”) has become aware of a data security incident that may have involved the personal information of some SCHA community members. SCHA has sent notification about this incident to potentially impacted individuals and has provided resources to assist them.

On September 14, 2020, SCHA discovered that unauthorized access to an employee email account had occurred on June 25, 2020. SCHA immediately secured the account, began an investigation, and engaged cybersecurity experts to assist with the investigation. On November 5, 2020, following a review of the contents of the email account, SCHA determined that personal information belonging to some SCHA community members may have been in the account. In response to learning this, SCHA took steps to identify current mailing addresses for the potentially impacted individuals so that SCHA could notify them and offer them complimentary credit monitoring and identity protection services.

Based on the investigation of the incident, the following personal and protected health information may have been involved in the incident: names, Social Security numbers, addresses, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, date of death, provider name, and treatment cost information.

While SCHA is not aware of the misuse of any information impacted by this incident, on December 30, 2020 SCHA sent notice about this incident to potentially impacted members. Those letters provided information about the incident and about steps they can take to protect their personal information. SCHA also offered complimentary credit monitoring and identity protection services to potentially impacted members.

SCHA has established a toll-free call center to answer questions about the incident and to help impacted members enroll in complimentary credit monitoring and identity protection services. Call center representatives are available Monday through Friday from 8:00 a.m. to 8:00 p.m. Central Time and can be reached by calling 1-833-920-3172.

The privacy and protection of personal and protected health information is a top priority for SCHA, and SCHA deeply regrets any concern or inconvenience this issue may have caused and is taking affirmative steps to prevent a similar event from occurring in the future.

SOURCE South Country Health Alliance

No related posts.

Category: Breach IncidentsCommentaries and AnalysesHackHealth DataHIPAA

Post navigation

← Italy’s Ho-Mobile database with 2.5m accounts allegedly stolen, sold
ROMWE’s press release reflects an abundance of …. something, but not caution. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.