DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Maxim Healthcare notifies patients of breach that occurred in October, 2020

Posted on November 8, 2021 by Dissent

On November 4, Maxim Healthcare Group, including Maxim Healthcare Services and Maxim Healthcare Staffing (collectively “Maxim Healthcare”) issued a press release about a breach — a press release they describe as issued “out of an abundance of caution.”  That sounds like they had an option not to disclose. I would think that they were required to make notification as a matter of law, but their lawyers might disagree with my non-lawyerly opinion.

According to their press release, on or about December 4, 2020, Maxim Healthcare became aware of unusual activity related to several employees’ email accounts. Investigation revealed that unauthorized access to some accounts had occurred between  October 1, 2020 and December 4, 2020.

Beyond that determination, however, Maxim was unable to determine which email messages or attachments had been accessed, so the investigators inspected all messages and attachment to determine what could potentially have been accessed.

The types of personal information that may have been accessible to an unauthorized actor include: name, address, date of birth, contact information, medical history, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid number, and username/password. For a limited number of individuals, Social Security number may also have been accessible.

As part of their response to this incident, Maxim Healthcare “instituted additional security protocols, including implementation of Multi-Factor Authentication for all email accounts, and transitioned to a new Security Operations Center with advanced detection and response capabilities.”

Had they deployed MFA before this incident, would they have been successfully attacked?

You can read their full press release here.  A notification on their web site can be found here.

Will HHS accept their timeline as to why, when they first discovered a problem in December 2020, it took until November 2021 to notify patients?  Does the “no later than 60 days” really have any meaning or teeth if HHS never enforces it?  Why did it take until August 24 to get the review of email contents?  Should it be viewed as unacceptable and violative of HIPAA and HITECH to take this long to notify patients?

If these criticisms sound harsh or unfair, well, if your information might be in the hands of criminals and the entity you trusted with your information can’t even determine that, would you be okay not being informed for 11 months?

HHS OCR tends to use a somewhat non-punitive approach to working with entities when HHS investigates breaches. If that hasn’t worked to decrease the number of breaches because entities are still not deploying basic precautions like MFA, maybe it’s past time for HHS to take the velvet gloves off and start imposing some corrective action plans with monetary penalties — even if the penalties are not large.

Updated Nov. 9: The breach was reported to HHS as impacting 65,267 patients.

 

 

Related posts:

  • Two class action lawsuits against home healthcare providers get preliminary settlement approval
Category: Breach IncidentsHealth Data

Post navigation

← China says a foreign spy agency hacked its airlines, stole passenger records
Five Affiliates of Sodinokibi/REvil Have Been Arrested by Now →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.