The Ottuma Courier reports that a dental office is notifying patients whose information may have been exposed in a ransomware incident. They report, in part:
On Nov, 22, 2020, the office of Gregory P. Vannucci, a dental provider and oral surgeon, detected a network security incident affecting his practice. An unauthorized third-party accessed the network and encrypted the practice’s data. the office shut off all access to the network and engaged a cybersecurity firm to investigate the extent of incident.
[…]
GPV mailed letters to all impacted individuals on Jan. 18….
Read more at Ottumwa Courier.
More than one year after detecting an incident, patients have first been sent individual notifications.
The incident sounded familiar, though, and a little digging into it confirmed that this incident had been reported to HHS by Dr. Vannucci’s office on August 20, 2021 as impacting 26,144 patients.
So it took eight months from detection to notify HHS and then another six months to notify patients.
If this timeframe or delay in notification is okay, then Congress really needs to amend HIPAA and HITECH to eliminate the “no later than 60 calendar days” from discovery notification requirement.
And if it is not okay, then HHS really needs to start enforcing the timely notification requirement.