While some states are decreasing the amount of time entities have to notify the state or individuals of a breach, the reality is that many entities are nowhere near complying with even more lenient deadlines.
HIPAA, for example, allows entities no more than 60 calendar days from discovery of a breach (the first day they knew they had a breach or with reasonable diligence, would have known). Yet some entities take almost a year or more to notify individuals.
This week, NorthBay Healthcare Corporation in California notified the Maine Attorney General’s Office that they were notifying 569,012 people of a breach that occurred between January 11 to April 1, 2024. NorthBay Health provides a range of medical services at its two hospitals, primary care locations, and specialized services locations.
The incident, which from media coverage in April 2024 sounds like a ransomware attack incident, was first detected as a network anomaly on February 23, 2024. In April 2024, when NorthBay posted a notice on their website about the disruption they were experiencing, they referred to it as a “cyberincident.”
The types of information involved included a lot of sensitive information, although the exact type(s) varied by individual: “name as well as date of birth, Social Security number, passport number, financial account number, medical information, biometric information, health insurance information, driver’s license number, state or other government-issued identification number, username and password, and credit or debit card number, including, for some individuals, the expiration date, security code, and/or PIN.”
So since early 2024, threat actors have been in possession of all that data, and yet people are first being individually notified now?
DataBreaches notes that this incident has not appeared on HHS’s public breach tool as of publication. It is possible NorthBay submitted to HHS at the same time as Maine but HHS may not have screened it and added it yet.