DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

“Without Undue Delay,” Friday edition

Posted on February 26, 2021 by Dissent

The Jacobson Memorial Hospital & Care Center had a breach last year that they are first disclosing this week. Here’s the chronology, based on a statement from their external counsel:

  • July 28, 2020 — One employee’s email account is compromised and used to send out spam.
  • August 5, 2020 — Hospital manages to kick bad actor out of their system; hires forensics firm to investigate scope.
  • August 25, 2020 — Forensic investigation confirms single account was compromised. Hospital hires another vendor to search compromised account for PII/PHI.
  • September 27 — Search completed. Working with vendor, hospital commences manual review of emails.
  • December 31, 2020 — Results of manual review received.
  • February 23, 2021 — Notifications made to 1,545 patients.

Given that chronology, the hospital may claim that notification was made within 60 days of discovery. But the reality is that it is more than 6 months since the breach was first recognized/discovered.  Here’s another example:

On June 1, 2020, Cornerstone Care became aware of suspicious activity associated with a corporate email account. A statement by their external counsel explains that they then began an internal investigation and hired independent computer forensic investigators to assist. After determining that it was (just) the one email account, the forensic investigator then “conducted an in-depth review of the email account to determine what Protected Health Information
(“PHI”) may have been included, and to extract contact information of potentially affected individuals. On January 13, 2021, that review was completed, and the list of potentially impacted individuals was provided to Cornerstone. Cornerstone then made notifications to 11,487 patients on February 25, with date of discovery listed as January 13, 2021.  But of course, the breach was first detected on June 1, 2020.

And yet more recent examples where notification is made months after a breach is discovered:

  • As previously reported on this site, Enders Insurance first notified people this month of a breach that occurred last April and was first discovered last May.
  • Gore Medical Management disclosed that they had notified 79,100 patients of a breach that they were alerted to by the FBI back in November, 2020.Their statement does indicate when the breach actually occurred — only when they first learned of it from the FBI.
  • And as previously reported this week, Fisher-Titus Medical Center is notifying patients whose PHI was potentially compromised when an employee’s email account was breached last August. The breach was detected in October. If there is a notification on their web site, it’s not easy to find.

When you compare these gaps between breach, “discovery” and notification to requirements under other countries’ laws that notification be made within 72 hours, maybe it’s time for HHS and Congress to consider whether the definition of “discovery” and the “60 days” window to notify “without undue delay” provisions need to be amended.

Update:  Here’s another example of what I think is a too-long gap. This is from a press release posted today by Summit Behavioral Healthcare in TN:

Beginning in late May of 2020, Summit Behavioral Healthcare, LLC (“SBHC”) noticed suspicious activity associated with the personal information of SBHC employees, which prompted a forensic investigation into certain email accounts. SBHC engaged a third-party digital forensics firm to handle the investigation, which determined that there may have been unauthorized access to email accounts belonging to two (2) SBHC employees. On January 21, 2021, the investigation concluded that the impacted email accounts contained protected health information (“PHI”) belonging to some of its patients.

Category: Breach IncidentsCommentaries and AnalysesHackHealth DataOf NoteU.S.

Post navigation

← Cheating Companies Hacked Websites at MIT, Stanford, Columbia And More Than 100 Other Schools
Florida Studio Theatre recovering from ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.