DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Five months after learning of problem, Michigan cancer treatment provider notifies 22,000 patients

Posted on February 7, 2017 by Dissent

On October 21, 2016, Singh & Arora Oncology Hematology PC in Michigan notified HHS of a hacking incident that they reported impacted 16,000 patients. Today, we learn that 22,000 patients are first getting notification letters this week. Why has it taken more than three months since HHS was notified for patients to be notified? 

Jessica Dupnack reports:

According to the letter, one of the practice’s servers was being accessed by an unauthorized user for nearly seven months between February and July of last year.

It wasn’t until August 2016 that they were notified of a problem.

So unauthorized access went on for almost five months (from February 27 – July 14), they learned of the problem on August 22, 2016, and they reported it two months later to HHS, but didn’t notify the patients until February of 2017? Why the long gap to notifying patients?

The files accessed contain names, insurance information and social security numbers.

The letter from Singn and Arora says the hackers were apparently not after this personal information. There is no indication it was used for identity theft, but they can’t say with total certainty that the information wasn’t compromised.

I wonder what makes them think the hackers were not after the PII or PHI. Although the reporter says “an unauthorized user” accessed the server, the letter (pieces of which were shown in the video of the news report) indicates that during those months, it was accessed by “unauthorized users” (plural).  The letter also indicates that addresses, telephone number, date of birth, and CPT codes were in the accessed files.

So how can they know the information wasn’t used for identity theft when no one had been notified or might know to report any identity theft to them?

Michigan media outlets might want to pursue the question of why the delay in notification.

This post was edited post-publication to insert actual dates and redo the math. 

 

No related posts.

Category: HackHealth DataU.S.

Post navigation

← Small Milwaukee publisher sues to stop misrouted medical faxes putting him at risk
Sports Direct hacked last year, but still hasn’t told its staff of data breach? →

3 thoughts on “Five months after learning of problem, Michigan cancer treatment provider notifies 22,000 patients”

  1. Anonymous says:
    February 7, 2017 at 11:13 pm

    Perhaps it was law enforcement that allowed the delay in notification. They seem oblivious to notifying patients.

    1. Dissent says:
      February 8, 2017 at 12:22 am

      The letter usually says when law enforcement requests a delay. This letter doesn’t seem to have cited that.

    2. Dissent says:
      February 8, 2017 at 12:23 am

      The letters usually say when law enforcement requests a delay. This letter doesn’t seem to have cited that.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.