Share this article on:
Health Quest has announced it has suffered a phishing attack that has resulted in the exposure of certain patients’ protected health information.
The breach affected its affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services, and the exposed information related to medical services provided to patients of those affiliates.
According to the breach notice on the Health Quest website, on April 2, 2019, Quest Health learned that patient information was contained in emails and email attachments in several employee email accounts that had been compromised as a result of a phishing attack.
Compromised protected health information included names, diagnoses, treatment information, dates of service, provider names, health insurance claims information and other information related to services received between January 2018 and June 2018.
When the breach was detected, the accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation. Quest Health has since implemented multi factor authentication and has strengthened email security to prevent further breaches. Breach notification letters are being mailed to affected individuals and should be received in the mail by June 10, 2019.
While the time frame for sending notifications appears to be in line with HIPAA requirements (April to June), the phishing attack actually occurred and was detected in July 2018.
According to Health Quest, “On January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information.”
Notification letters were therefore sent 11 months after the email accounts were compromised, and five months after it was first determined that some health information had been exposed. It is unclear why it took so long to determine that the compromised accounts contained PHI.
Breach Reporting Delays Can Prove Costly
There have been several breaches reported recently where the breaches have occurred several months previously, and notifications have only been issued after investigations have been completed.
Naturally, it is not possible to send notifications to affected individuals until those individuals have been identified, but the HHS is quite clear about the requirement to report breaches promptly and within 60 days of the discovery of the breach.
The discovery date is the date when the breach is discovered, not the date when the total number of individuals affected has been determined. OCR notifications are required within 60 days and addenda can be added to the breach reports when further information becomes available, such as the total number of affected individuals.
State attorneys general and OCR have taken action against organizations in the past over delayed breach notifications and have issued regulatory fines.