Health sector breaches recently reported to the US Department of Health and Human Services (HHS) include a network disruption affecting more than 250,000 patients at Bay Bridge Administrators, a network intrusion affecting more than 60,000 patients at Circles of Care Providers, and a data exposure affecting more than 35,000 patients at the Elizabeth Hospice.
Note
- If you’re in the health care sector, don’t expect the volume of attacks to drop anytime soon. The challenge here is that while the third-party provider notified of the breach within 60 days after confirmation/validation, HIPAA actually wants notification “even if it is initially unclear whether the incident constitutes a breach as defined in the rule.” Have a conversation with your third-party providers to understand how they interpret this language, so you know what to expect. You may want to include your legal counsel in the conversation for peace of mind.
- An interesting interpretation of the HIPAA requirement to inform patients within 60 days of possible data exposure. Yes, organizations should be afforded some time to investigate a cyber breach but allowing that amount of time before notification is concerning. Simply put, victims should have been notified faster. Perhaps Congress will take on this reporting requirement ambiguity as they look at potential cybersecurity mandates for health systems.
Read more in
