Although some members of the public may not realize it, not all U.S. medical practices or practitioners are covered by HIPAA. But for entities that are regulated by HIPAA, HIPAA has some requirements for notifying patients about reportable breaches.
The first thing to understand is that for regulated entities, a breach is considered “discovered” on the first day on which the breach is known to the regulated entity, or, by exercising reasonable diligence, would have been known. In other words, if you know there was a breach involving protected health information (PHI) – or should have known by exercising reasonable diligence – then the breach has been “discovered.” And that’s when the time to notify clock starts running.
HIPAA gives entities no more than 60 calendar days from discovery to notify HHS and affected patients of a breach. That does not mean that an entity can take 60 days to notify if they could be notifying sooner. But 60 calendar days is supposedly the deadline to notify, unless there is an exception such as law enforcement asking the entity to delay notification so as not to interfere with a law enforcement operation.
Nothing in HIPAA says an entity can use a “rolling” method of notification in which an entity takes a year or more to finally get everyone notified. Yet has HHS OCR ever taken enforcement action against an entity for late notification like that? Spoiler alert: not to DataBreaches’ knowledge.
Three Examples of Notification Timeliness Noncompliance
Hospital Sisters Health System (HSHS)
On August 27, 2023, Hospital Sisters Health System (HSHS) in Illinois discovered they had been the victim of a ransomware attack where data was exfiltrated between August 16 and August 27. In early September, HSHS published an open letter to patients warning them about the potential misuse of their information based on received reports that patients were getting requests via email, SMS, and phone for payment of bills that had already been paid. HSHS would later state that it had no evidence of misuse of patient data for fraud or identity theft.
In October, 2023, HSHS notified HHS that 500 patients had been affected, using the 500 as a placeholder until they completed their investigation and assessment. As of March 13, 2025, that number still hasn’t been updated on HHS’s public breach tool even though Hospital Sisters Health System notified the Maine Attorney General’s Office on February 6, 2025 that 882,782 people (total) had been affected by the breach. Whether all of them were patients was not indicated.
The type of information involved in the HSHS breach varied for each individual, but may have included their name, address, date of birth, medical record number, limited treatment information, health insurance information and Social Security number and/or driver’s license number.
HSHS’s notification offers no explanation for why they did not or could not comply with HIPAA’s requirement to notify no later than 60 calendar days from discovery.
Jaime S. Schwartz, M.D.
Plastic surgeon Jaime Schwartz, M.D. was the victim of a cyberattack by Hunters International. In October 2023, the threat actors listed Schwartz’s incident on their dark web and clear net leak sites. As proof of claims, they posted some nude photos of recognizable patients. In April 2024, they updated their listing to add more data. DataBreaches could find no evidence that Dr. Schwartz ever reported this breach at all to HHS or to all affected patients, even though Hunters International claimed to have acquired a lot of patient data.
In March of 2024, Dr. Schwartz was the victim of a second cyberattack. This one was by a different group of threat actors who tell DataBreaches that they acquired data on 1700 patients. They, too, uploaded nude photos of Dr. Schwartz’s patients. The nude photos are still online with the patients’ names and links to their files and documents. Their leak site, which is reportedly unrelated to the Hunters International leak site, does not require Tor or dark web access to see.
Dr. Schwartz appears to have disclosed the second breach to patients in January, 2025, but the notification letter never told them their sensitive data is available for free downloading on a clear net leak site. Like the 2023 incident, the 2024 incident has not shown up on HHS’s public breach tool.
Holland Eye Surgery & Laser Center
In one of HHS OCR’s most blatant failures to enforce notification, Holland Eye Surgery & Laser Center was the victim of a hack and extortion attempt by Robert Purbeck (aka “Lifelock”) in June of 2016. The entity first disclosed the breach in 2018 after this site contacted them to ask if they had ever disclosed it, but their disclosure inaccurately claimed that they first discovered the breach in March of 2018. Police records obtained by DataBreaches.net showed that they knew about the breach in June 2016 and had filed police reports about it in July 2016. Their failure to notify timely and their false claims about discovery were reported to HHS in 2018 as a watchdog complaint with request for enforcement action. To DataBreaches’s knowledge, HHS has never issued a monetary penalty or corrective action plan with monitoring to Holland Eye Surgery & Laser Center.
There are many more egregious examples of noncompliance with HIPAA or state notification requirements, but what’s the point of reporting them if HHS does nothing? HIPAA does not have a private cause of action, so patients cannot sue entities for failure to comply with the HIPAA notification requirement, but state attorneys general can enforce HIPAA, and maybe it’s time we start asking them to do what HHS OCR has generally failed to do. If things were getting better, it would not be as urgent, but as the data shows, things have been getting worse.
2024 was worse than 2023 in terms of timely notifications
Since 2016, DataBreaches.net has compiled data on how long it takes breached entities to disclose breaches. Our analyses, which include HIPAA-covered entities as well as non-HIPAA entities that had medical or health data involved in a breach, uses three measures: the gap between a breach and its discovery, the gap between a breach and notification of patients or regulators, and the gap between discovery and notification of the breach. The gap analyses have been published in Protenus’s annual Breach Barometer reports, and most recently, in Bluesight’s 2025 Breach Barometer report. The analyses use both the mean and median to provide a fuller understanding of the gaps.
Using the mean, Bluesight reports in its analysis of 2024 breach data:
On average, it took organizations 102 days to identify a breach, a sharp increase from 79 days in 2023. This longer exposure period significantly heightens the risk of sensitive information being misused or stolen. Furthermore, once a breach was discovered, the average notification time stretched to 205 days, compared to 177 days in the previous year. These delays left affected individuals unaware of the risks to their personal data, delaying crucial protective actions like changing passwords, freezing credit, or monitoring for fraudulent activity.
Using the median provides a somewhat different picture, as described below.
Gap from breach to “discovery”
In 2023, the average gap between the occurrence of a breach and its discovery was 79 days if calculated using the arithmetic mean; if calculated by the median, it was 10 days. The significant difference between the mean and median indicates that there were one or more high numbers that skewed the mean upwards. In 2024, the arithmetic mean was 101.8 days, with a median of 8 days. If you use the mean, it took longer to discover a breach in 2024. In this case, the longest gap to discovery involved an entity that discovered that it had been inappropriately sharing patient data through tracking pixels since early 2015. If you use the more stable median, it actually took two days less, on average, to detect a breach in 2024 than in 2023.
Gap from breach to notification
In 2023, the average gap from breach to notification was 176.9 days (with a median of 83). Think about criminals having your identity information and sensitive data for months before you find out. In 2024, things got worse instead of better. The arithmetic mean to notification was 205.4 days (with a median of 116). In many cases, affected patients only found out quickly because threat actors post claims about their attacks on dark web leak sites and journalists or intel researchers often report on their claims. When entities realized that threat actors and media were already discussing their breaches, some entities responded by posting a notice on their site or issuing a statement that they were aware of claims or had detected suspicious activity and were investigating. But all too often, individual notification as required by HIPAA did not come until many months later, or even a year later — if at all.
Gap from discovery to notification
In 2023, the gap from discovery to notification was 112.6 days using the arithmetic mean, but 60 days using the median. It appears that many entities managed to notify within 60 days of discovery, although not all did (and not all were subject to HIPAA’s 60-days calendar rule). In 2024, notifications were more delayed. It took an average of 127.66 days (arithmetic mean) to notify after discovery of a breach. The median was 87 days, almost a month longer than it took in 2023.
For data going back to 2021, see Bluesight’s 2025 Breach Barometer report.
Why did it take longer in 2024? And what will happen in 2025?
Why did it take longer in 2024 than in 2023 to notify individuals of a breach after discovering it? Was ransomware more damaging and making investigations and data breach reviews more time-consuming and costly? Is that why more than 200 entries never disclosed at all and 66 entities never updated placeholder reports of 500 by the end of 2024?
Did it take longer because entities have seen that HHS OCR is not likely to punish them if they’re late with notifications?
Did it take longer because entities are just not putting aside enough money and resources for incident response?
DataBreaches does not know the answer. But if the point of notification is so that patients can be informed as to what happened, the type of information involved and what they can do to protect themselves, why isn’t HHS OCR enforcing notification requirements more vigorously?
When ransomware gangs first started using a double extortion method of demanding one fee for providing a decryptor key and another fee for deleting data they had exfiltrated, the gangs generally waited months before announcing any attack or leaking any data on their dark web sites. Nowadays, however, threat actors may announce an attack and provide proof of claims within days of the attack.
With data being leaked and available to everyone who wants to download it, it is more important than ever for entities to disclose quickly and transparently. All too often, however, all we see is an eventual disclosure that never tells people that their data has been leaked on the dark web or clear net hacking forums where anyone can download it for free.
There is nothing in HIPAA or HITECH that specifically states entities must disclose when stolen patient data has been leaked on the dark web, but DataBreaches believes it is a key element of a transparent disclosure intended to help patients protect themselves.
It’s about time that HHS OCR issued guidance informing entities that they should inform patients when their data has been leaked. And of course, it should also remind them of their obligations to notify timely, and back that up with actual enforcement actions.