Although HHS OCR generally fails to take a hard enforcement line with reporting breaches by the “no later than 60 day” rule in HIPAA, state attorneys general may enforce even stricter deadlines. Read this press release: December 27 — Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes announced they’ve settled a data breach enforcement case…
A hospital’s patient data was stolen in June and they should have known it. Why are they claiming they didn’t know?
Six months after DataBreaches reported that Fitzgibbon Hospital in Missouri had been the victim of a ransomware attack by Daixin Team, the hospital has finally disclosed the incident. In a notification, the hospital claims that they detected the unauthorized access on June 6. But then they immediately make a demonstrably false statement. They state, “Though…
Retreat Behavioral Health addiction treatment centers hit by ransomware earlier this year
Retreat Behavioral Health (RBH) has addiction treatment facilities in Florida, Pennsylvania, and Connecticut. On July 1, 2022, they reportedly detected a ransomware attack. Letters were sent out this week, but because Massachusetts actually prohibits entities from providing important details in notifications to consumers, there’s a lot we don’t know about this incident yet. Specifically, the…
Worst breach notifications of 2022
This is the time of year when many sites compile their lists of worst breaches of the year. Some consider all sectors, some confine themselves to one sector. Many base their lists on number reported to some regulator. Over the years, I have compiled my own annual lists where the “worst breaches” were not always…
Bits ‘n Pieces (Trozos y Piezas)
BR: Monte Cristalina claimed by LockBit3.0 On December 19, Monte Cristalina S.A. was added to LockBit3.0’s leak site. The group claims to have 135GB of information about the holding company, and has already uploaded some data as proof. Access to Monte Cristalina’s website has been blocked, and we have found no acknowledgement or confirmation by…
NC: Monarch notifies HHS of breach, but where are the details and notice?
On September 1, a listing on a dark web site by a group calling themselves Don#t_Leaks named MonarchNC as a victim. The listing did not appear for long. The only “proof” offered at the time was a filetree and a screencap of what might be an index of an inbox showing monarchnc.org domain in email…