DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Maxim Healthcare notifies patients of breach that occurred in October, 2020

Posted on November 8, 2021 by Dissent

On November 4, Maxim Healthcare Group, including Maxim Healthcare Services and Maxim Healthcare Staffing (collectively “Maxim Healthcare”) issued a press release about a breach — a press release they describe as issued “out of an abundance of caution.”  That sounds like they had an option not to disclose. I would think that they were required to make notification as a matter of law, but their lawyers might disagree with my non-lawyerly opinion.

According to their press release, on or about December 4, 2020, Maxim Healthcare became aware of unusual activity related to several employees’ email accounts. Investigation revealed that unauthorized access to some accounts had occurred between  October 1, 2020 and December 4, 2020.

Beyond that determination, however, Maxim was unable to determine which email messages or attachments had been accessed, so the investigators inspected all messages and attachment to determine what could potentially have been accessed.

The types of personal information that may have been accessible to an unauthorized actor include: name, address, date of birth, contact information, medical history, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid number, and username/password. For a limited number of individuals, Social Security number may also have been accessible.

As part of their response to this incident, Maxim Healthcare “instituted additional security protocols, including implementation of Multi-Factor Authentication for all email accounts, and transitioned to a new Security Operations Center with advanced detection and response capabilities.”

Had they deployed MFA before this incident, would they have been successfully attacked?

You can read their full press release here.  A notification on their web site can be found here.

Will HHS accept their timeline as to why, when they first discovered a problem in December 2020, it took until November 2021 to notify patients?  Does the “no later than 60 days” really have any meaning or teeth if HHS never enforces it?  Why did it take until August 24 to get the review of email contents?  Should it be viewed as unacceptable and violative of HIPAA and HITECH to take this long to notify patients?

If these criticisms sound harsh or unfair, well, if your information might be in the hands of criminals and the entity you trusted with your information can’t even determine that, would you be okay not being informed for 11 months?

HHS OCR tends to use a somewhat non-punitive approach to working with entities when HHS investigates breaches. If that hasn’t worked to decrease the number of breaches because entities are still not deploying basic precautions like MFA, maybe it’s past time for HHS to take the velvet gloves off and start imposing some corrective action plans with monetary penalties — even if the penalties are not large.

Updated Nov. 9: The breach was reported to HHS as impacting 65,267 patients.

 

 

Category: Breach IncidentsHealth Data

Post navigation

← China says a foreign spy agency hacked its airlines, stole passenger records
Five Affiliates of Sodinokibi/REvil Have Been Arrested by Now →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers
  • Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques
  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report