On August 6, DataBreaches reported that the Hive ransomware team claimed to have attacked SERV Behavioral Health System and encrypted SERV’s files on May 26. The listing was added to Hive’s site on July 14. SERV did not respond to email inquiries from DataBreaches in July.
Time passed, but Hive never added any “proof pack” or data leak to their listing for SERV. And that’s where things remained until SERV issued a statement and notice to HHS on September 9 about the incident.
Their investigation, however, could neither confirm nor rule out that files had been accessed or acquired. “While we are unaware of any actual or attempted misuse of your information as a result of this incident, we are providing this notice out of an abundance of caution,” SERV writes.
Hive often provides victims with samples of files. Did Hive provide any data to SERV? If not, did SERV request any proof or file list or anything? And if they didn’t, why didn’t they?
So more than three months after they discovered an incident, SERV did not apologize for late notification to patients (HIPAA requires notice no later than 60 calendar days from discovery) and claimed they were notifying out of an abundance of caution?
Again, for the people in the upper deck who maybe didn’t hear this the first few thousand times: it is NOT an “abundance of caution” to notify if you are unsure what happened. The presumption is to notify unless you can prove there is no risk. If you don’t know what happened, but it could have involved PHI, notify and stop suggesting you don’t have to. Think my advice is legally incorrect? It may be as I am not a HIPAA lawyer, but even if it is not obligatory to notify in this type of situation, I believe it should be considered at least best practice.
SERV reported the incident to HHS as impacting 8,110 patients.
DataBreaches asked Hive whether they would provide proof in light of SERV’s statement that they could not confirm data had been accessed. Hive replied, “No comment.” SERV is their second medical sector breach that they have neither provided a proofpack for nor dumped, but the only one to claim that they were not sure data had been accessed or acquired.