The press release below the separator includes the kind of timeline that we often see in breach disclosures where an employee’s email account has been hacked. It continues to take many entities too long, in this blogger’s opinion, to detect breaches of their systems, then determine that PHI was involved, and then notify. In this case, the timeline was:
September 14 — entity discovered that unauthorized access to an employee email account had occurred on June 25. They do not tell us how they discovered it on September 14 or why they hadn’t discovered it on June 25 or immediately thereafter.
November 5 — Having apparently been reviewing the contents of the impacted email account since September 14, they determine that PHI may have been in the account. They do not explain why it took more than one month to go through one email account to make that determination. How many people were working on this and for how many hours per day?
On December 30, they announce they have now notified those affected.
So what we have is 6 months from an incident to notification. If you count the November 5 date as discovery of PHI impacted, they are notifying within 60 days. But it’s 6 months since the incident, and more than 3 months since they discovered an impacted employee email account.
As I suggested at the outset of this post, this entity, SCHA, is not atypical, and I do not use this press release to call them out as horrible or worse than the average entity. But 6 months from incident to notification does not serve patients or consumers well. Is the 60-day window/upper limit reasonable and acceptable when stolen data may be dumped immediately after an attack, or data may be promptly misused? What needs to change, if anything?
SCHA’s press release follows:
OWATONNA, Minn., Dec. 30, 2020 /PRNewswire/ — South Country Health Alliance (“SCHA”) has become aware of a data security incident that may have involved the personal information of some SCHA community members. SCHA has sent notification about this incident to potentially impacted individuals and has provided resources to assist them.
On September 14, 2020, SCHA discovered that unauthorized access to an employee email account had occurred on June 25, 2020. SCHA immediately secured the account, began an investigation, and engaged cybersecurity experts to assist with the investigation. On November 5, 2020, following a review of the contents of the email account, SCHA determined that personal information belonging to some SCHA community members may have been in the account. In response to learning this, SCHA took steps to identify current mailing addresses for the potentially impacted individuals so that SCHA could notify them and offer them complimentary credit monitoring and identity protection services.
Based on the investigation of the incident, the following personal and protected health information may have been involved in the incident: names, Social Security numbers, addresses, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, date of death, provider name, and treatment cost information.
While SCHA is not aware of the misuse of any information impacted by this incident, on December 30, 2020 SCHA sent notice about this incident to potentially impacted members. Those letters provided information about the incident and about steps they can take to protect their personal information. SCHA also offered complimentary credit monitoring and identity protection services to potentially impacted members.
SCHA has established a toll-free call center to answer questions about the incident and to help impacted members enroll in complimentary credit monitoring and identity protection services. Call center representatives are available Monday through Friday from 8:00 a.m. to 8:00 p.m. Central Time and can be reached by calling 1-833-920-3172.
The privacy and protection of personal and protected health information is a top priority for SCHA, and SCHA deeply regrets any concern or inconvenience this issue may have caused and is taking affirmative steps to prevent a similar event from occurring in the future.
SOURCE South Country Health Alliance
