Share this article on:
Last month, MaineGeneral announced it had suffered a cyberattack in which a limited amount of patient data had been exfiltrated and placed on an external website by an unknown individual. The data was not accessible to the public, but had been viewed by an unauthorized party.
In accordance with HIPAA Rules, MaineGeneral immediately started an investigation and shortly thereafter issued breach notification letters to affected patients to alert them to the exposure of their PHI. An external security firm was also brought in to assist with a forensic investigation.
The FBI was also investigating the data breach, and advised MaineGeneral about the data it had discovered on the third party website. The FBI determined that only patients’ dates of birth, emergency contact numbers, telephone numbers, addresses, and referring physician names had been copied. This was confirmed by MaineGeneral’s initial investigation findings.
The investigation has been ongoing and is now almost at an end; however, it has since come to light that other Protected Health Information was exposed in the data breach and that the cyberattack was far more extensive than previously believed. In addition to the aforementioned data, the following information was also exposed in the breach: Patient names, demographic information, medical information, Social Security numbers, insurance details, guarantor information, emergency contact information, medical record numbers, allergy information, and employer details.
An advocacy file is also now understood to have been accessed, and that file contained the Social Security numbers of patients along with an account number, phone numbers, addresses, patient names, age, and attending physician names.
A registry file was accessed, which contained names, dates of birth, Social Security numbers, addresses, medical record numbers, health history data, and treatment information.
A mailing list was accessed which detailed patient names and addresses, as well as a monitoring system file containing medical ID numbers, Social Security numbers, dates of birth, patient names, and addresses.
Letters sent to patients detailing their names and addresses, as well as descriptions of procedures, diagnosis information, treatment choice, procedure descriptions, and procedure dates were compromised.
Some employee names, addresses, and contact telephone numbers were exposed, as well as the contact information of prospective donors.
When Should Breach Notification Letters Be Sent?
The breach update raises an important point. When should a HIPAA-covered entity notify breach victims that their information has been exposed?
Office for Civil Rights requires a breach notification letter to be sent to all breach victims within 60 days of the discovery of a data breach, although a covered entity should not delay the issuing of the breach notices unnecessarily.
MaineGeneral announced the data breach promptly and sent breach notification letters to patients last month, around 30 days after the breach was discovered. This is certainly commendable and patients should appreciate the prompt notification. This allowed them to take steps to protect their identities and credit quickly.
However, if covered entities do issue a breach notice promptly, and further information come to light that contradicts the first breach notice, it is essential that another letter is sent to breach victims to advise them of new information.