Update: The county’s notice claims, “We have no evidence that any of your information has been used for identity theft or financial fraud as a result of this incident. Nevertheless, out of an abundance of caution, we wanted to make individuals aware of the incident and provide information on steps individuals can take to safeguard their information.”
The notice is not just out of an “abundance of caution” and it seems misleading to suggest that the county had the option not to notify people. The county is a HIPAA-covered entity for some of the services it provides. As such, it was required to notify HHS and affected patients no later than 60 calendar days from when they discovered the breach. There is no “abundance of caution” option. If it’s a reportable breach, it needs to be reported no later than 60 days from discovery. According to the county’s September 9 notification to HHS, 76,365 patients were affected by the breach. DataBreaches also notes that while the county appears to claim that the breach was first discovered on August 1, breaches are treated as discovered by HHS as of the first day on which the breach is known or, by exercising reasonable diligence, would have been known to the physician (or where the BA is acting as their agent, their BA).
Original post follows:
Kyle Pozorski reports:
A number of Richland County residents received a surprising letter over the weekend informing them of what has been called a “data security incident.”
According to a notice posted on the county’s website, the data breach occurred “on or about October 4, 2023.”
Many took to Facebook to voice their concerns on both the Richland Rants and Chats page and in the comments of a post by the Richland County Sheriff’s Office informing residents of calls made to their office. The letters caused many to call RCSO, some suggesting the letters were a scam. The sheriff’s office says they are, in fact, not a scam.
[…]
“The server was hacked around October of last year,” says Dull. “They did not let us know it was hacked, they kept it hush hush.”
Dull also claims “FBI cyber experts” were flown into the county from Texas and Colorado to investigate the breach. News 3 Now has not been able to verify this claim. Dull goes on to say there is growing frustration in the rural southwestern Wisconsin county and that “this should have been disclosed way before 11 months following a hack.”
Read more at Channel3000.
A check by DataBreaches of dark web leak sites maintained by ransomware gangs did not turn up any listings for Richland County.
Does this mean that they should have assumed a breach in data right away?
“DataBreaches also notes that while the county appears to claim that the breach was first discovered on August 1, breaches are treated as discovered by HHS as of the first day on which the breach is known or, by exercising reasonable diligence, would have been known to the physician (or where the BA is acting as their agent, their BA). “
When did they first discover/learn that the attacker(s) accessed the part of the system or network that contained PHI? And what did they then do? A manual review just shows you exactly what data types of data for each individual were involved. In this case, it sounds like the county wasn’t able to even stop the breach immediately and that the attackers still had access until October 26. When did the forensics firm first tell the county that PHI was involved or when did the county first know that?