In March, Texas Medical Liability Trust on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group (collectively “TMLT”) filed a breach notification with the Maine Attorney General’s Office. That submission indicated that 625 individuals had been affected by a breach that occurred between October 2, 2022 and October 13, 2022.
On September 11, TMLT filed a second submission with Maine. This one indicated that they were reporting 59,901 individuals had been affected.
In its appended notification letter, TMLT did not change its initial report of what happened or when — the incident was still described as an unauthorized external actor accessing and, in some cases, acquiring data. There was nothing to suggest that there was any encryption or ransom demand involved.
In their first notification to the state, they wrote:
On January 13, 2023 notice was provided to the impacted policy holders. That notice provided the individuals associated with that policy that were potentially impacted, and offered to provide notice on the policy holders’ behalf to both individuals and regulators, as requested. This process is on-going. Based on policyholder responses at this time, we are providing notice to impacted individuals, which includes one (1) Maine resident. Written notice is being provided in substantially the same form as the letter attached here as Exhibit A. Notification to impacted individuals is ongoing and TMLT may supplement this notification if it is determined that a significant amount of additional Maine residents will receive notice.
Comparing the two notifications to Maine, the September 11 submission appears to simply be the result of more policyholders requesting TMLT provide notification on their behalf, although there is no indication as to who, exactly, those policyholders might be.
The types of information seem to vary by policyholder client. One notification template informed those affected that the information that could have been subject to unauthorized access included name, Social Security number, driver’s license number, and financial account information with access. Yet a notification letter sent to those whose data were being processed for medical malpractice claims services were told that the types of information involved included name, Social Security number, driver’s license number/government issued identification, financial account information, medical treatment and diagnosis information, and health insurance information.
How many of the almost 60,000 individuals were from that latter group is not specified and the incident has not appeared on HHS’s public breach tool so we do not know how many are patients. Nor do we know whether there will be additional supplemental reports over time, but it is hard to reconcile these disclosures with compliance with HIPAA’s 60-day notification rule.