Premier Health Partners (“PHP”) in Ohio issued a press release this week and uploaded a substitute notice to its website. Why they first concluded an investigation into a breach they discovered on July 12, 2023 requires more explanation than they provide.
Premier Health Partners (“Premier Health”) is providing notice of a cyber incident that may impact the privacy of some information of certain individuals. On July 12, 2023, Premier Health became aware of suspicious activity related to certain systems within its environment. As a result, Premier Health launched an investigation to determine the nature and scope of the activity. Through this investigation, Premier Health determined that files on certain Premier Health systems were subject to access and acquisition by an unauthorized party at varying times between June 7, 2023 and July 12, 2023. Following this discovery, Premier Health began reviewing the affected systems to determine what, if any, sensitive information was contained within the systems in question, which recently concluded. Please note that we do not have any evidence to indicate that your information was subject to actual or attempted misuse as a result of this incident. All Premier Health services are fully operational and there has not been and will not be any interruption in service.
So more than two years ago, there was a breach that they discovered. The types of information involved included: provider name, date of birth, Social Security number, driver’s license number or state issued identification number, passport number, individual taxpayer identification number, digital signature, login credentials, financial account information, medical information, and health insurance information.
A check of HHS’s public breach tool reveals that this incident was reported to HHS on October 12, 2023 as affecting 10,833 patients.
So why is Premier Health issuing a press release and subsitute notice now? Weren’t those 10,833 patients notified in 2023? Have more patients been identified as having been affected or is there some other explanation? Why are (more?) notifications first being made now?
DataBreaches emailed Premier Health with those questions yesterday, but no reply has been received as yet.
The check of HHS’s public breach tool indicates that there has been no closing statement about any investigation into this incident as yet.
This would not be the first time that Premier Health failed to notify patients within 60 calendar days of discovering a breach.
In August 2020, Premier Health notified HHS that patients were affected by an incident that begain on May 5, 2020 and was discovered on June 8, 2020. On November 2, 2020, the number affected was updated to 254,786 patients. A notification to patients sent in November explained:
Premier Health Partners (“Premier Health”) writes to make you aware of a recent incident that may affect the privacy of personal information for certain individuals associated with the Clinical Neuroscience Institute, Help Me Grow Brighter Futures, Samaritan Behavior Health Inc. (SBHI), Atrium Medical Center, Miami Valley Hospital, Miami Valley Hospital North, and CompuNet Clinical Laboratories. ” On June 8, 2020, Premier Health discovered unusual activity involving certain Premier Health employee email accounts.
So it was five months after discovering a breach that Premier Health first notified over 254,000 patients. HHS investigated that incident and wrote the following closing note:
The covered entity (CE), Premier Health Partners, reported that multiple employees were the victims of an email phishing attack that affected the electronic protected health information (ePHI) of 254,786 individuals. The ePHI involved included names, addresses, dates of birth, drivers’ license numbers, Social Security numbers, claims and financial information, diagnosis, and other treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards to better protect its ePHI. OCR provided the CE with technical assistance regarding the HIPAA Security and Breach Notification Rules.
But now we are looking at notifications for a breach that was discovered more than two years ago. What will HHS do now?
Note: Claim Depot incorrectly lists the 2023 incident as affecting 154,731 patients, but that is a number reported to Maine for the 2020 incident, and wasn’t the final number for that incident.