In June, this site covered a breach affecting approximately 18,000 patients of North Shore-Long Island Jewish Health System. Unencrypted patient data, including SSN and clinical information, had been on five laptops stolen from Global Care Delivery, a Texas-based firm that contracted with North Shore-LIJ to process and collect payments owed by insurers to the hospital system. At the time, I noted that there was an unexplained 8-month delay between the theft of the laptops and the BA’s notification to the hospital system, and I wondered how HHS/OCR might respond to that.
In its summary of its investigation into the incident, OCR writes:
Five password-protected, but unencrypted laptop computers were stolen from Global Care Delivery, a business associate (BA) of the covered entity (CE), North Shore LIJ Health System in September 2014. The laptops contained the protected health information (PHI) of 18,213 individuals, including names, dates of birth, insurance identification numbers (which contained social security numbers), and diagnoses and/or treatment codes related to claims. The BA notified police at the time of the incident, but did not notify the CE until May 11, 2015. The BA retained Knoll, Inc. to assist with individual notification and provide call center services to answer questions from individuals impacted by the breach. Breach notification was provided to HHS and affected individuals, and the BA offered complimentary one-year identity theft protection services. The business relationship between the CE and BA ended effective May 11, 2015. The BA has closed its business.
So did Global Care Delivery fold as a result of failing to notify their clients promptly, or because of the costs of the breach such as ID theft monitoring, or….? In any event, now we don’t know how HHS might respond to such delayed notification. Could OCR still have pursued the entity even though they folded? I think they could have, but then, what’s the point, right? Or is there a point that should/could still have been made?