Share this article on:
A Singh and Arora Oncology Hematology breach is finally being communicated to individuals who had their electronic protected health information exposed, although it has taken 5 months for those letters to be sent.
The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to send breach notification letters to patients within 60 days of the discovery of an ePHI breach. The Department of Health and Human Services’ Office for Civil Rights (OCR) must also be notified of a breach in the same timeframe.
However, in the case of the Singh and Arora Oncology Hematology breach, the Flint, MI-based cancer treatment center discovered that its systems had been breached on August 22, 2016. While OCR was notified of the breach on October 21, 2016, patients have only just started receiving their letters.
The Singh and Arora Oncology Hematology breach actually occurred between February 27, 2016 and July 14, 2016. An unauthorized individual gained access to a server containing ePHI. It took around a year from when access to ePHI was first gained for patients to be informed that their sensitive data had potentially been accessed.
According to the OCR breach notice, the incident resulted in the exposure of 16,000 patients’ ePHI. ABC12, which was contacted by some of the affected patients, were told that the breach included patients’ names, addresses, phone numbers, dates of birth, Social Security numbers, current procedural terminology codes and health insurance details.
While the delay in the discovery of the breach is perhaps understandable – it is rarely a simple task to determine a cyberattack has occurred – the delay in the issuing of notification letters is not, especially when OCR was informed of the cyberattack and potential ePHI exposure within 2 months.
In some situations, patient breach notification letters are delayed so as not to interfere with a criminal investigation. There have been numerous instances where law enforcement has requested that HIPAA-covered entities delay the issuing of notifications to patients. However, in this case, no mention has been made of any law enforcement-requested delay.
The delay in issuing breach notification letters to patients was allegedly due to the healthcare provider being unable to determine whether data had actually been compromised. The letters explain to patients that the attacker was not believed to have been looking for ePHI and no indications that ePHI was accessed or used inappropriately have been discovered. However, it has not been possible to rule out the possibility that ePHI was accessed.
To protect patients, all affected individuals have been offered a year of credit monitoring services without charge. Given the delay in notification, patients should obtain credit reports and check back for any sign of suspicious activity over the past 12 months. EoB statements should also be carefully checked.
As with all breaches of more than 500-records, OCR will conduct an investigation. Given that OCR has recently penalized a healthcare organization solely for delaying the issuing of breach notification letters to patients, it doesn’t bode well for Singh and Arora Oncology Hematology.