DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

As 2020 draws to a close, it still takes too long to detect and notify patients of most breaches

Posted on December 31, 2020 by Dissent

The press release below the separator includes the kind of timeline that we often see in breach disclosures where an employee’s email account has been hacked. It continues to take many entities too long, in this blogger’s opinion, to detect breaches of their systems, then determine that PHI was involved, and then notify.  In this case, the timeline was:

September 14 — entity discovered that unauthorized access to an employee email account had occurred on June 25. They do not tell us how they discovered it on September 14 or why they hadn’t discovered it on June 25 or immediately thereafter.

November 5 — Having apparently been reviewing the contents of the impacted email account since September 14, they determine that PHI may have been in the account.  They do not explain why it took more than one month to go through one email account to make that determination. How many people were working on this and for how many hours per day?

On December 30, they announce they have now notified those affected.

So what we have is 6 months from an incident to notification.  If you count the November 5 date as discovery of PHI impacted, they are notifying within 60 days.  But it’s 6 months since the incident, and more than 3 months since they discovered an impacted employee email account.

As I suggested at the outset of this post, this entity, SCHA, is not atypical, and I do not use this press release to call them out as horrible or worse than the average entity.  But 6 months from incident to notification does not serve patients or consumers well. Is the 60-day window/upper limit  reasonable and acceptable when stolen data may be dumped immediately after an attack, or data may be promptly misused?  What needs to change, if anything?

 

SCHA’s press release follows:


OWATONNA, Minn., Dec. 30, 2020 /PRNewswire/ — South Country Health Alliance (“SCHA”) has become aware of a data security incident that may have involved the personal information of some SCHA community members. SCHA has sent notification about this incident to potentially impacted individuals and has provided resources to assist them.

On September 14, 2020, SCHA discovered that unauthorized access to an employee email account had occurred on June 25, 2020. SCHA immediately secured the account, began an investigation, and engaged cybersecurity experts to assist with the investigation. On November 5, 2020, following a review of the contents of the email account, SCHA determined that personal information belonging to some SCHA community members may have been in the account. In response to learning this, SCHA took steps to identify current mailing addresses for the potentially impacted individuals so that SCHA could notify them and offer them complimentary credit monitoring and identity protection services.

Based on the investigation of the incident, the following personal and protected health information may have been involved in the incident: names, Social Security numbers, addresses, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, date of death, provider name, and treatment cost information.

While SCHA is not aware of the misuse of any information impacted by this incident, on December 30, 2020 SCHA sent notice about this incident to potentially impacted members. Those letters provided information about the incident and about steps they can take to protect their personal information. SCHA also offered complimentary credit monitoring and identity protection services to potentially impacted members.

SCHA has established a toll-free call center to answer questions about the incident and to help impacted members enroll in complimentary credit monitoring and identity protection services. Call center representatives are available Monday through Friday from 8:00 a.m. to 8:00 p.m. Central Time and can be reached by calling 1-833-920-3172.

The privacy and protection of personal and protected health information is a top priority for SCHA, and SCHA deeply regrets any concern or inconvenience this issue may have caused and is taking affirmative steps to prevent a similar event from occurring in the future.

SOURCE South Country Health Alliance


Related:

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
Category: Breach IncidentsCommentaries and AnalysesHackHealth DataHIPAA

Post navigation

← Italy’s Ho-Mobile database with 2.5m accounts allegedly stolen, sold
ROMWE’s press release reflects an abundance of …. something, but not caution. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.