A notification letter template that showed up on the California Attorney General’s site this week is dated “February 19, 2021.” I assume the 2021 is a typo based on the rest of the letter.
The letter from Orthopedic Associates of Hawaii (OAH) begins (emphasis added by this site):
Orthopedic Associates of Hawaii, All Access Ortho and Specialty Suites d/b/a Minimally Invasive Surgery of Hawaii (collectively “the Practices”) write to inform you of a recent event that may affect the security of some of your information.
“Recent event?” If you read the full notification letter (embedded below), you find that the incident occurred on February 12, 2021 and was discovered on February 19, 2021. Yes, 2021 — one year ago. This was not a “recent” event at all.
Reading further, it appeared that this was a ransomware incident. It is not clear from the notice who the attackers were and whether any ransom was paid to get a decryption key. OAH states that HHS has been notified, but their notice has not yet shown up on HHS’s public breach tool as of the time of this publication, so we do not yet know how many patients were notified.
But then there was also this part of their notification that resulted in some teeth-grinding here (emphasis added):
On or around April 2, 2021, the investigation confirmed certain systems were accessible by an unknown actor between February 12, 2021 and February 19, 2021, and certain, limited data was downloaded. In an abundance of caution, we performed a comprehensive review of the information stored in our systems at the time of event to identify the individuals whose information may have been impacted.
“In an abundance of caution?” Seriously? Finding out who had their data compromised or potentially downloaded and who needed to be notified under applicable federal and state laws does not qualify as an “abundance of caution” by my standards.
I suspect this incident will result in a potential class-action lawsuit given the delay in notification, but that doesn’t mean that any suit will prevail. According to the letter signed by Jessica Drew, Nurse Manager for The Practices, they have no indication of any misuse of patient data, but the types of information in the system at the time of the breach included:
full name, address, date of birth, medical treatment and diagnosis information, health insurance information, and for a limited number of individuals, Social Security number.
OAH is offering those impacted some mitigation services with Experian Identity Works, but the support appears to be available from the date of the letter. But is that 2021, then, or 2022?