[BreachExchange] Health Data Breach Not Reported for Seven Months

[Destry Winant]

https://www.databreachtoday.com/health-data-breach-reported-for-seven-months-a-13652

A California healthcare provider took nearly seven months to report to
regulators a phishing incident that exposed information on 200,000
patients. Security experts are analyzing whether the delay could be
justifiable.

PIH Health, a regional healthcare network based in Whittier,
California, says that it discovered in June 2019 a phishing incident
that it eventually reported to the Department of Health and Human
Services on Jan. 10, 2020.

HHS Office for Civil Rights' HIPAA Breach Reporting Tool website shows
the hacking/IT incident involving email impacted nearly 200,000
individuals. As of Monday, the PIH Health incident is the largest
breach added to the federal website so far in 2020.

Under HIPAA, covered entities are required to report breaches
impacting protected health information within 60 days of discovering
the breach.

PIH Health Breach Timeline

In its breach notification statement, PIH Health says that on June 18,
2019, it learned that certain PIH Health employee email accounts had
potentially been accessed without authorization as a result of a
targeted phishing campaign.

"Upon learning of this information, PIH Health took steps to secure
its email system and network, including resetting the passwords
required to access potentially affected employee email accounts. PIH
Health also immediately launched an investigation and engaged leading,
independent cybersecurity experts to provide assistance," the
statement notes.

PIH Health says that as a result of its investigation, on Oct. 2,
2019, it determined that certain employee email accounts were accessed
without authorization between June 11 and June 18, 2019 as a result of
the phishing campaign.

"Just establishing whether or not PHI was potentially affected, let
alone the specific individuals who may have been affected, can be
extremely difficult."
—Iliana Peters, Polsinelli

On Nov. 12, 2019, PIH Health determined that information belonging to
certain current and former patients was contained within the accessed
email accounts. "PIH Health then worked diligently to identify contact
information for all potentially affected individuals in order to
provide them with notice of the incident." The incident was then
reported to HHS nearly two months later.

"PIH Health is not aware, and the independent forensic investigation
did not result in the identification of, any evidence that information
involved in this incident has been misused," the statement notes

The organization did not describe the kind of PHI contained in the
compromised email accounts. PIH Health did not immediately respond to
an Information Security Media Group request for additional information
about the incident.

"We don't yet know why PIH Health took four months to understand the
June attack was a breach of unsecured PHI, or took almost two more
months to report the breach to OCR," notes independent HIPAA attorney
Paul Hales. "But we do know PIH Health is in trouble. OCR
automatically investigates breaches of this size."

Delayed Response?

The HITECH Act mandates that covered entities notify individuals of a
health data breach without unreasonable delay but in no case later
than 60 days from the discovery of the breach, except where law
enforcement has requested a delay.

"In adopting the regulations implementing the breach notification
requirements, HHS considered arguments for extending the timeframe for
notification," says privacy attorney David Holtzman of the security
consulting firm CynergisTek, who formerly worked at HHS' OCR, which
enforces HIPAA. "But in the final analysis, it determined that the
interests of consumers whose information had been disclosed could be
adversely affected by a longer delay and lose the ability to mitigate
adverse consequences caused by the compromise of their PHI."

Meanwhile, California law requires breach notification within 15
business days from date of discovery, Holtzman notes.

"While it is possible that [PIH Health] had discussions with OCR and
the California Department of Public Health to request exercise of
enforcement discretion, in my experience these extensions are rarely
given," he says. Is there was no such extension, federal and state
enforcement agencies "will conduct an exhaustive compliance review
into why the organization was unable to comply with the rules," he
predicts.

Time-Consuming Work?

But privacy attorney Iliana Peters of the law firm Polsinelli, who was
also a former senior adviser at OCR, notes that forensic
investigations "can take a significant amount of time, and just
establishing whether or not PHI was potentially affected, let alone
the specific individuals who may have been affected, can be extremely
difficult. It's very important to understand that the definition of a
'security incident' under the HIPAA Security Rule is different from a
'breach' under the HIPAA Breach Notification Rule."

While HIPAA covered entities and business associates are required to
investigate all security incidents, a '"breach" is not determined
until the entities confirm that "acquisition, access, use or
disclosure of PHI in a manner not permitted [under the regulations]
which compromises the security or privacy of the PHI" occurred, she
notes.

"It is crucial that HIPAA covered entities - or their business
associates, on their behalf - determine what PHI, if any, was accessed
or acquired in any security incident, and ... determine whether a
breach actually occurred."

The 60-day reporting timeline starts when the HIPAA covered entity
confirms that PHI was accessed or acquired in a way that compromises
the security or privacy of the PHI, she says.

For example, in email compromise incidents, it may not be immediately
known which email accounts were affected and how - and there may be
many thousands of emails potentially impacted, she notes. On top of
that, it takes time to determine whether the compromised email
accounts contain PHI, "given that not all employees of an entity have
access to PHI or use email to transmit PHI," she says.

HIPAA covered entities and business associate should engage with their
cyber insurers, counsel and forensic investigators as quickly as
possible after discovery of a security incident to ensure that they
are working reasonably and diligently to understand the scope of any
particular attack, including the individuals whose PHI may be
affected, Peters says.

Covered entities should "consider working with forensic investigation
firms that engage in programmatic data mining efforts to understand
which individuals may be affected more efficiently than having to
manually review all documents involved, which is incredibly
resource-intensive, although manual review of some documents in these
incidents is always necessary, given the limitations of programmatic
datamining," she adds.

Notifying Victims

Holtzman notes that timely breach notification to individuals whose
PHI has been compromised enables victims to make decisions on what
action to take to mitigate adverse consequences from the disclosure of
their information.

"The disclosed information may have contained financial or credit card
information," he says. "Or the PHI may have contained sensitive
information about their health status or treatment, which might expose
them to harm of their reputation or the status of their employment or
a personal relationship. The point is, the consumer has a right to
know when their PHI has been disclosed, and it is their decision on
what appropriate measures should be taken to protect themselves."

In those cases where an investigation takes a long time, "the covered
entity can make substitute notification thro