Breach Notification Delay: A Step-by-Step TimelineSenior Care Facility Operator Describes Investigation
Why are some breach notifications delayed for months? This week, a company that operates senior care facilities in North Carolina and South Carolina issued a statement offering a step-by-step explanation.
In a notification statement issued Tuesday, Choice Health Management Services says an undisclosed number of those who received treatment at 16 independent living, assisted living and skilled nursing facilities - as well as employees and third parties associated with these facilities - were affected by an email security incident.
The Claremont, North Carolina-based company says that in late 2019, the company discovered suspicious activity in certain employee email accounts. It then hired a forensics firm to investigate.
"On January 17, Choice Health Management Services confirmed that certain employee email accounts were subject to unauthorized access, but was unable to determine what, if any, individual emails or attachments within the accounts were subject to unauthorized access," the company says. "With the assistance of a third-party firm, Choice Health Management Services then began a comprehensive and time-intensive review process of the email accounts subject to unauthorized access to determine what, if any, sensitive information they contained."
On March 27, the review concluded, and the company learned that personal health information was contained in certain email accounts, the statement notes.
"However, since the vendor was unable to link a large number of the individuals to the facility where the individuals sought treatment, Choice Health Management Services began a review of its internal records to determine this information so notice could be provided to the appropriate facility."
Internal Review Completed
On May 12, the company completed its internal review and determined which individuals received care at specific facilities, the company says.
"On April 16 and again on May 22, Choice Health Management Services notified facilities about the event and requested permission to provide patients and residents with notice, which was subsequently granted."
Choice Health Management Services did not immediately respond to an Information Security Media Group request for additional information about the incident.
The company's notification statement notes it reported the incident to regulators, including the Department of Health and Human Services. But as of Thursday, it did not appear posted on HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website which lists health data breaches affecting 500 or more individuals.
Choice Health Management Services says it's unaware of misuse of the information contained in the emails. That information may have included names, dates of birth, Social Security numbers, driver's license numbers, passport numbers, credit card information, financial account information, employer identification numbers, usernames with passwords or associated security questions, email addresses with passwords or associated security questions, provider names, medical record and patient numbers, diagnostic or treatment information and health insurance information.
Regulatory issues potentially arise when breach notifications are delayed.
"One obvious danger is violating the breach notification laws that dictate how long an organization has to submit notification," says Keith Fricke, principal consultant at tw-Security.
Under the HIPAA Breach Notification Rule, covered entities must notify HHS no later than 60 days following discovery of a major health data breach.
But as the notification statement in this case illustrates, many healthcare organizations have difficulty identifying those affected by email breaches.
"Certainly the number of customers and volume of email are contributing factors to the level of complexity in sorting out the scope of possible breach," says Keith Fricke, principal consultant at tw-Security."
"What adds to the complexity is reviewing emails that are marked as having been read and trying to determine if the owners of the compromised email accounts read the messages or if the person with unauthorized access read them."
It's easier to eliminate which emails have not been inappropriately accessed if the message is marked as "unread," he notes. "Organizations with an email retention policy of 90 days will fare better in sorting through this situation than an organization that has no retention limits on email," he adds.
Dave Bailey, director of security services at privacy and security consultancy CynergisTek, says searching email and identifying sensitive information requires robust data loss prevention technology.
Fricke warns that criminals are indiscriminate when it comes to compromising email accounts. "In the end, compromise of email accounts pose breach identification/response difficulties for any organization," he says.
Because email is such a prime target, it's critically important to provide ongoing reminders to the workforce regarding these types of attacks, he adds. "Remember to provide the big-picture framing for employees so they understand it's not just our organization that can be impacted by an email attack - think about all of our customers."
Organizations should conduct annual tabletop exercises to prepare them to respond to a potential breach, Fricke says. "This can be part of the evaluation of security standards in place to identify if current policies and procedures are optimal."
Also, having incident response playbooks for rapid and consistent response to email breaches is essential, he adds. "Companies should rehearse these plans to fine-tune the procedures and identify if any technical tools need to be acquired to aid in rapid analysis and response."