Kyle Lamb reports:
The Chelan Douglas Health District is warning the public of a data breach that may have led to the loss of identifiable personal and health information.
The district said the hack occurred in early July of last year, with cybersecurity consultants finishing a review of the breach February 12th and the district providing a link to a statement about the hack at the bottom of their website Tuesday.
Read more at KPQ.
A spokesperson for Chelan told the news station, “A lot of times these investigations can take up to two to three years.” Davies said, “We were able to turn around and get ours done within six or seven months.”
Do they really think that two to three years is common or accepted for a health data breach notification? Look at the type of information that was exfiltrated from their system:
full names and one or more of the following: Social Security numbers, dates of birth/death, financial account information, medical information (treatment/diagnosis information, medical record or patient number, and/or health insurance policy information
Do they really think it is okay to first be warning people six or seven months later — especially when HIPAA requires notification “without undue delay” and in no case later than 60 calendar days from discovery?
Chelan’s notice can be found on their website. It does not disclose when they actually first detected and confirmed any breach of their system so it is not known to this site when the 60-day clock from discovery would have started ticking. Their notice is also silent on whether this was a ransomware incident and/or whether any data was encrypted. As of the the time of this publication, DataBreaches.net has not seen any reference to this incident on any ransomware-related data leak sites.
Chelan’s statement does not disclose how many patients are being notified. They declined to answer that question when KPQ put it to them. The incident is not yet on HHS’s public breach tool, but eventually, we will learn how many they are notifying.
What the notice does include, however, is something that this site has criticized in many other cases: they claim they are providing notification in an “abundance of caution” as if they just chose to notify but didn’t actually have to notify. Any such implication is misleading when the law actually requires them to provide notification.