If a covered entity detects a breach at the beginning of June 2021 but doesn’t notify patients until January 2022, will HHS think this is just fine? What if there was no encryption of data involved? Is it acceptable to take 7 months to notify patients if there are no unusual circumstances or request from law enforcement to justify delay?
On January 6, Jefferson Surgical Clinic in Virginia reported a breach involving protected health information to the Maine Attorney General’s Office. They also posted a copy of the patient notification letter on their website.
From their letter:
On June 5, 2021, Jefferson Surgical Clinic detected that it was the target of a cybersecurity attack. An unauthorized third party attempted to infiltrate Jefferson Surgical Clinic’s computer network. We immediately notified the FBI and launched an investigation and engaged a law firm specializing in cybersecurity and data privacy, and third-party forensic specialists to assist. That investigation has recently determined that information – including your name, date of birth, social security number, and health/treatment information – were potentially accessed by an unknown party that is not authorized to handle or view such information.
The description of the event says nothing about data exfiltration. It says nothing about encryption or locking of files. It says nothing about any ransom demand. Can we conclude that none of those things happened? Why seven months from detection to notification?
External counsel for JSC notified Maine that 174,769 people were being notified of the incident and were being offered credit monitoring services. It is not clear from the report whether all of those are patients or if some subset of them are employees or contractors.
DataBreaches.net emailed the IT manager for JSC to ask about whether there was any encryption, exfiltration, or ransom demand, but no immediate reply was received. This post will be updated if more details become available.