Three recent data breach disclosures involving patient data all exceeded HIPAA’s 60-day deadline to notify HHS and individuals.
Yakima Valley Radiology
A breach involving the Washington state radiology service was added to Karakurt’s leak site in November 2023 with a listing claiming — without proof — that they had acquired 9.31 GB of files with financial reports, client lists with contacts, list of patients for 15 years (212579 rows), and a database of Social Security numbers (including staff, doctors) with 766000 rows. DataBreaches contacted Yakima Valley Radiology and Multicare by phone and other means in November but never got a reply from Yakima about this incident. The incident was only recently reported to the Maine Attorney General’s site on March 1 as impacting 235,249 people. As is too often the case, the law firm of McDonald Hopkins reported the incident to the state as being discovered on January 31, 2024, when Yakima’s notification letter and website notice stated that they first discovered the August 11 breach on August 18, 2023. January 31 was the date that they completed their investigation. It was not the date that they discovered the breach. The gap from August 18, 2023 to March 1, 2024 when letters were sent out to patients was 196 days.
From Sec. 13402 of HITECH:
(c) Breaches Treated as Discovered.—For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred.
(d) Timeliness of Notification.—
(1) In General.—Subject to subsection (g), all notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).
(2) Burden of Proof.—The covered entity involved (or business associate involved in the case of a notification required under subsection (b)), shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay.
It appears Yakima Valley Radiology did not comply with the timeliness of notification requirement. If one simply looked at the recording form for Maine where the attorneys for Yakima made it sound like the discovery was January 31, then the March 1 letter was within the 60 says required by HIPAA and HITECH. But it wasn’t, and there is no explanation for why it took more than 6 months from discovery to notify patients and HHS. At last check, the incident does not even appear on HHS’s public breach tool. Maine does not have a 60-day window like HITECH does, so Yakima may not be in violation of Maine law, but they appear to be noncompliant with HIPAA.
Yakima Valley Radiology is still listed on Karakurt’s dark web leak site. The data were never leaked and it is not known whether Karakurt even still has any data, if they ever did. Karakurt seems to have serious problems with leaking data and Yakima Valley Radiology is not the only alleged victim of theirs where they never leaked data as threatened.
Scurry County Hospital District dba Cogdell Memorial Hospital
The Texas hospital claims it discovered a ransomware attack on October 10, 2023. In November, they were added to the Lorenz ransomware group’s dark web leak site. It wasn’t until February, however, when Cogdell notified HHS that 86,981 patients had been affected. According to the February notice on Cogdell’s website, “Although the forensic investigation could not rule out the possibility that an unknown actor may have accessed this information, there is no indication whatsoever that any information has been misused at this time. The type of information contained within the affected data included patient names, addresses, dates of birth, Social Security numbers, medical record numbers, and medical treatment information. ”
The period from October 10, 2023, to February 23, 2024, is 136 days, more than double the 60-day maximum specified by HITECH.
There is no explanation for their failure to comply with the timeliness requirement. Nor is there any mention that Lorenz claimed to have almost 400 GB of files and has leaked what they estimate to be 95% of them. The listing provides a list of files, a multi-part leak, and some email files, but it appears that none of them can be accessed at this time without paying for a password. DataBreaches was therefore unable to confirm whether the data are real.
Should Cogdell have informed patients that their data is up for sale on the dark web?
Pacific Cataract and Laser Institute, Inc.
The Pacific Cataract and Laser Institute in California was the victim of a ransomware attack by LockBit between November 13 and November 14, 2023. On November 29, LockBit added the healthcare provider to its leak site. According to PCLI’s website notice and press release of March 1, the types of data accessed included name, medical treatment information, health insurance and claims information, financial account information, driver’s license information, Social Security number, and demographic information such as date of birth.
Like the two other entities mentioned in this post, PCLI did not notify individuals within the 60-day window, but they fared somewhat better than the others in that regard, notifying individuals in approximately 109 days from discovery.
PCLI indicates that they notified HHS, but the incident has not appeared on HHS’s breach tool yet so we do not yet know the total number of patients affected.
Does HHS OCR Ever Enforce Timely Notification?
Has HHS OCR ever imposed monetary penalties for failure to notify no later than 60 days from discovery (as defined by HITECH)?
Its first enforcement of this kind was in 2017 after OCR investigated Presence St. Joseph Medical Center’s report of a breach of paper records in 2013. The hospital had missed the 60 day deadline because of reported miscommunication among workforce members. As a result, Presence did not notify HHS until 101 days from discovery and did not notify patients until 104 days after discovery.
Presence agreed to pay $475,000 and implement a corrective action plan.
Perhaps if OCR had consistently taken such enforcement actions in 2017 and 2018, we might not have seen so many untimely notifications in 2023. But they didn’t. DataBreaches cannot recall OCR ever imposing a monetary penalty and corrective action plan for late notification on any other HIPAA-covered entity since the Presence case.
In a few weeks, Protenus will be releasing its annual Breach Barometer report on breaches affecting health data in the U.S. during 2023. As in past years, their report, which incorporates analyses based on data compiled by DataBreaches, includes analysis of the gap between breaches and discovery, and the gap between discovery and notification. The problem of entities misreporting the “date of discovery” contributes to statistics where it may appear that entities are reporting timely when they are not.
But OCR’s failure to enforce the timely notification requirement does not mean that other regulators are not enforcing it. Two upcoming articles will shed additional light on this issue. One focuses on OCR’s response — or lack of response — to late notifications. A second looks at enforcement of timely notification by other federal regulators and state attorneys general and agencies.