Five months after learning of problem, Michigan cancer treatment provider notifies 22,000 patients

On October 21, 2016, Singh & Arora Oncology Hematology PC in Michigan notified HHS of a hacking incident that they reported impacted 16,000 patients. Today, we learn that 22,000 patients are first getting notification letters this week. Why has it taken more than three months since HHS was notified for patients to be notified? 

Jessica Dupnack reports:

According to the letter, one of the practice’s servers was being accessed by an unauthorized user for nearly seven months between February and July of last year.

It wasn’t until August 2016 that they were notified of a problem.

So unauthorized access went on for almost five months (from February 27 – July 14), they learned of the problem on August 22, 2016, and they reported it two months later to HHS, but didn’t notify the patients until February of 2017? Why the long gap to notifying patients?

The files accessed contain names, insurance information and social security numbers.

The letter from Singn and Arora says the hackers were apparently not after this personal information. There is no indication it was used for identity theft, but they can’t say with total certainty that the information wasn’t compromised.

I wonder what makes them think the hackers were not after the PII or PHI. Although the reporter says “an unauthorized user” accessed the server, the letter (pieces of which were shown in the video of the news report) indicates that during those months, it was accessed by “unauthorized users” (plural).  The letter also indicates that addresses, telephone number, date of birth, and CPT codes were in the accessed files.

So how can they know the information wasn’t used for identity theft when no one had been notified or might know to report any identity theft to them?

Michigan media outlets might want to pursue the question of why the delay in notification.

This post was edited post-publication to insert actual dates and redo the math.