Lifeline Health Systems is a HIPAA-covered entity, although not all the data involved in their 2022 breach was protected health information. Some of the data related to employees and family members.
But here’s the timeline Lifeline provides in their notification template:
On August 6, 2022, we identified unusual network activity. We immediately initiated our incident response protocols, which included isolating potentially impacted systems and network functions. We also began an investigation with the assistance of a computer forensics firm. The investigation determined that an unauthorized person gained access to our network between July 27, 2022 and August 6, 2022 and, during that time, accessed and/or acquired some of the documents on our system. We initiated a review of the documents involved to determine what information they contained. That review was very time intensive, and only recently concluded.
What conditions existed that should excuse Lifeline Health Systems from its obligation under the HIPAA Breach Notification Rule to notify HHS and those affected no later than 60 days from discovery? Is this another case where maybe HHS should take enforcement action and start handing out fines and corrective action plans to make sure entities comply with the timely notification rule?
The incident does not appear on Massachusett’s public breach tool at this time.