This seems to be the month in which many people affected by healthcare breaches in the summer of 2023 are first being notified individually (see, for example, reports on Southcoast Medical and Florida Community Health Centers). Here’s a third one:
MNGI Digestive Health was the victim of a cyberattack on August 20, 2023. They reportedly discovered the breach on August 25, 2023. On October 24, 2023, they notified HHS. However, it now seems that although HHS was notified of a breach in October, MNGI was not sending out notifications to affected patients then.
On July 15, MNGI notified the California Attorney General’s Office. Their notification letter to those affected stated that they learned on June 7, 2024 that the recipients’ personal and protected health information was potentially affected by the incident. A notice on MNGI’s website of the same date wrote (emphasis added by DataBreaches):
On June 7, 2024, MNGI identified that certain individuals’ personal and/or protected health information was potentially affected. The potentially affected information may include individuals’ names, Social Security numbers, driver’s license or state identification numbers, passport numbers, dates of birth, medical information and health insurance information, payment card information, and account numbers. On July 15, 2024, MNGI provided written notification of the incident via US mail to impacted individuals
So MNGI may have complied with the requirement to notify HHS within 60 days of discovery, but it was 11 months from discovery before they notified the 767,670 patients whose data was compromised by the AlphV (BlackCat) threat actors.
What happened to the data? Was the data recovered by law enforcement when they seized AlphV servers or is still in the wild or on some criminals’ server(s)? On September 30, 2023, AlphV had started leaking some of the data and threatened to leak the rest. MNGI’s letter is silent about any leak. On the contrary, it states, “Please note that MNGI has no evidence of the misuse or attempted misuse of any potentially impacted information.”
“No later than 60 days from discovery….”
In 2009, when HHS considered the notification timeliness requirements, perhaps 60 days from discovery of a breach seemed reasonable. Perhaps they didn’t really anticipate attacks resulting in encryption of entire systems.
Each year, Protenus’s Breach Barometer analyzes the gap between a breach, its discovery, and its disclosure to regulators and those affected. While many HIPAA-covered entities appear to comply with the 60-day window, when one digs into the actual facts and chronology, it seems that in some cases, the seeming compliance is only “compliance” if the entity redefines “discovery” to the date they finished their investigation and found that PHI was involved. But that is not how “discovery” is defined, and HHS OCR does not seem to really enforce timely notification compliance.
Should the 60-day “no later than” rule be amended if it is not realistic for entities to comply with it in the event of a ransomware attack that encrypts files? Or is the rule realistic, and entities need to be sure they have an incident response plan that will enable them to comply in the event of a breach? And does HHS OCR just need to crack down on this issue like it has cracked down on access to records?
This post has focused on health data breaches at HIPAA-covered entities that are first notifying patients many months later than the regulations call for. DataBreaches notes that there are other entities that still haven’t even sent notifications after all this time or more (see, for example, the reports on Essen Medical Associates, North Shore Medical Labs, Henrietta Johnson Medical Center, and EqualizeRCM). In addition, the following never updated initial “marker” reports to HHS since early 2023: Senior Choice, Inc., The Pavillion at Health Park, LLC, South Jersey Behavorial Health Resources, Inc., Unified Operations Virginia LP, Public Health Management, and Paramedic Billing Services. And Minuteman Senior Services has yet to update a report to HHS from January 2023 about an incident in November 2022. How many patients have never been notified as yet about breaches in the first half of 2023?
This is not the first time DataBreaches has raised the issue of whether the “no later than 60 days” rule should be either amended or enforced more rigorously. But until something changes, this site will continue to raise the issue.