On January 25, ClickOrlando reported:
A hack at a pulmonary practice in Tavares might have exposed sensitive patient information, including Social Security numbers and medical histories.
Officials from AdventHealth said in a news release on Friday that an unauthorized third party gained access to systems at AdventHealth Medical Group Pulmonary & Sleep Medicine at Tavares, formerly known as Lake Pulmonary Critical Care, beginning in August 2017.
The security breach was discovered on Dec. 27, 2018. Letters will be sent by March 10 to patients who were potentially affected.
Patient names, email addresses, phone numbers, birthdates, medical history, insurance carriers and Social Security numbers might have been accessed as part of the hack, officials said.
Read more on ClickOrlando.
The full notification can be read on the Vermont Attorney General’s site.
The incident was subsequently reported to HHS as impacting 42,161 patients, and I suspect that at least some patients will not be happy that they are learning about this through the media instead of hearing it first from the provider.
Of note: it is not clear to me how AdventHealth can even even give itself until March 10 to notify patients. If the breach was discovered December 27, they had 60 days from that date to notify and March 10 would be 73 days from discovery.
Hopefully they will complete notification within the required 60 days. But if they do fail to comply, will HHS investigate and take any enforcement action?