Posted by PIH Health on their website on January 10, 2020:
Notification of Data Security Incident
January 10, 2020 – PIH Health has become aware of a data security incident that may have impacted personal information and protected health information belonging to certain current and former patients. On January 10, 2020, PIH Health notified potentially impacted individuals of this incident and provided resources to assist them.
On June 18, 2019, PIH Health learned that certain PIH Health employee email accounts had potentially been accessed without authorization as a result of a targeted email phishing campaign. Upon learning of this information, PIH Health took steps to secure its email system and network, including resetting the passwords required to access potentially affected employee email accounts. PIH Health also immediately launched an investigation and engaged leading, independent cybersecurity experts to provide assistance. On October 2, 2019, as a result of this investigation, PIH Health learned that certain employee email accounts were accessed without authorization between June 11, 2019 and June 18, 2019 as a result of the above-referenced phishing campaign.
Upon receipt of confirmation of unauthorized access to certain PIH Health employee email accounts, PIH Health engaged the same leading, independent cybersecurity experts to determine whether the accessed employee email accounts contained personal information and/or protected health information that may have been subject to unauthorized access as a result. On November 12, 2019, as a result of that review, PIH Health learned that information belonging to certain current and former patients was contained within the accessed email accounts. PIH Health then worked diligently to identify contact information for all potentially affected individuals in order to provide them with notice of the incident.
The above-referenced unauthorized access was limited to PIH Health email accounts and did not extend to other PIH Health information systems. Moreover, PIH Health is not aware, and the independent forensic investigation did result in the identification of, any evidence that information involved in this incident has been misused. Nonetheless, out of an abundance of caution, PIH Health provided notice to potentially affected individuals. PIH Health takes the security of all information very seriously and is implementing additional security measures to help prevent a similar occurrence in the future.
Notification letters were sent to all potentially impacted individuals whose contact information was identified on January 10, 2020. The letters include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their information. Contact information for some potentially affected individuals was not identified and PIH Health is providing this website posting as substitute notice to those individuals.
PIH Health has established a toll-free call center to answer questions about the incident and to address related concerns. The call center is available Monday through Friday from 8 am to 7 pm Central Time and can be reached at 833.963.0527. In addition, as a precaution, PIH Health is offering complementary credit monitoring services through Kroll to some potentially impacted individuals. PIH Health also notified the U.S. Health and Human Services Office for Civil Rights and consumer reporting agencies of this incident.
The privacy and protection of private information is a top priority for PIH Health. PIH Health deeply regrets any inconvenience or concern this incident may cause.
You can read the full notice here.
This is yet another example of a problem noted on this site before. Is this entity in compliance with HIPAA/HITECH’s 60-day rule concerning notification? It apparently took seven months from discovery that employees had been phished to notify individuals and HHS. If you read their notification with an eye towards the timeline, was the gap to confirmation of access to employee accounts acceptable? Should it have taken from June 18 to October 2 for that? Will HHS find that acceptable? And once they confirmed the accounts, should it have taken another month to determine if PHI was in or attached to those accounts? And then another two months to find contact information to notify individuals?
HHS/OCR may find these reasons acceptable and consistent with HIPAA and HITECH. But could they turn around and say that no, it took the entity too long? Could a state attorney general claim it took too long?
And how much PHI was sitting in employee email accounts if unauthorized access during a one-week period requires notification to approximately 200,000 patients?
Perhaps that’s what HHS should focus on in an enforcement action: whether entities continue to keep too much unencrypted PHI in email accounts that are all too easily hacked or compromised.