[BreachExchange] Breach Notification Delay: A Step-by-Step Timeline
destry at riskbasedsecurity.com
Tue Jun 30 10:36:47 EDT 2020
Why are some breach notifications delayed for months? This week, a
company that operates senior care facilities in North Carolina and
South Carolina issued a statement offering a step-by-step explanation.
In a notification statement issued Tuesday, Choice Health Management
Services says an undisclosed number of those who received treatment at
16 independent living, assisted living and skilled nursing facilities
- as well as employees and third parties associated with these
facilities - were affected by an email security incident.
The Claremont, North Carolina-based company says that in late 2019,
the company discovered suspicious activity in certain employee email
accounts. It then hired a forensics firm to investigate.
"On January 17, Choice Health Management Services confirmed that
certain employee email accounts were subject to unauthorized access,
but was unable to determine what, if any, individual emails or
attachments within the accounts were subject to unauthorized access,"
the company says. "With the assistance of a third-party firm, Choice
Health Management Services then began a comprehensive and
time-intensive review process of the email accounts subject to
unauthorized access to determine what, if any, sensitive information
On March 27, the review concluded, and the company learned that
personal health information was contained in certain email accounts,
the statement notes.
"However, since the vendor was unable to link a large number of the
individuals to the facility where the individuals sought treatment,
Choice Health Management Services began a review of its internal
records to determine this information so notice could be provided to
the appropriate facility."
Internal Review Completed
On May 12, the company completed its internal review and determined
which individuals received care at specific facilities, the company
"On April 16 and again on May 22, Choice Health Management Services
notified facilities about the event and requested permission to
provide patients and residents with notice, which was subsequently
Choice Health Management Services did not immediately respond to an
Information Security Media Group request for additional information
about the incident.
The company's notification statement notes it reported the incident to
regulators, including the Department of Health and Human Services. But
as of Thursday, it did not appear posted on HHS' Office for Civil
Rights' HIPAA Breach Reporting Tool website which lists health data
breaches affecting 500 or more individuals.
Choice Health Management Services says it's unaware of misuse of the
information contained in the emails. That information may have
included names, dates of birth, Social Security numbers, driver's
license numbers, passport numbers, credit card information, financial
account information, employer identification numbers, usernames with
passwords or associated security questions, email addresses with
passwords or associated security questions, provider names, medical
record and patient numbers, diagnostic or treatment information and
health insurance information.
Regulatory issues potentially arise when breach notifications are delayed.
"One obvious danger is violating the breach notification laws that
dictate how long an organization has to submit notification," says
Keith Fricke, principal consultant at tw-Security.
Under the HIPAA Breach Notification Rule, covered entities must notify
HHS no later than 60 days following discovery of a major health data
But as the notification statement in this case illustrates, many
healthcare organizations have difficulty identifying those affected by
"Certainly the number of customers and volume of email are
contributing factors to the level of complexity in sorting out the
scope of possible breach," says Keith Fricke, principal consultant at
"What adds to the complexity is reviewing emails that are marked as
having been read and trying to determine if the owners of the
compromised email accounts read the messages or if the person with
unauthorized access read them."
It's easier to eliminate which emails have not been inappropriately
accessed if the message is marked as "unread," he notes.
"Organizations with an email retention policy of 90 days will fare
better in sorting through this situation than an organization that has
no retention limits on email," he adds.
Dave Bailey, director of security services at privacy and security
consultancy CynergisTek, says searching email and identifying
sensitive information requires robust data loss prevention technology.
Fricke warns that criminals are indiscriminate when it comes to
compromising email accounts. "In the end, compromise of email accounts
pose breach identification/response difficulties for any
organization," he says.
Because email is such a prime target, it's critically important to
provide ongoing reminders to the workforce regarding these types of
attacks, he adds. "Remember to provide the big-picture framing for
employees so they understand it's not just our organization that can
be impacted by an email attack - think about all of our customers."
Organizations should conduct annual tabletop exercises to prepare them
to respond to a potential breach, Fricke says. "This can be part of
the evaluation of security standards in place to identify if current
policies and procedures are optimal."
Also, having incident response playbooks for rapid and consistent
response to email breaches is essential, he adds. "Companies should
rehearse these plans to fine-tune the procedures and identify if any
technical tools need to be acquired to aid in rapid analysis and
More information about the BreachExchange