Another entity affected by the Summit Reinsurance ransomware attack in March, 2016 is first notifying individuals of the incident.
See this report about PrimeWest Health. The insurer notified HHS of the incident on December 29, reporting that 2,441 members were affected.
The reinsurer’s breach was discovered on August 8, 2016, and yet affected entities are first disclosing the breach in December and January? That’s a long gap between initial discovery by the BA and notification by the covered entity. I hope they have a good reason for it when HHS/OCR investigates.
Update and Correction: A reinsurer is not a business associate under HIPAA.