A year ago, in May 2023, hackers stole patients’ personal information from Superior Air-Ground Ambulance Service, Inc.’s IT network. According to the company’s website notice, they discovered the intrusion shortly after it occurred and began investigating.
On June 23, 2023, the investigation into the breach revealed that an unauthorized party had illicitly copied specific files from the network between May 15 and May 23, 2023. The company continued to evaluate the incident and the identity and contact information of persons affected.
About 11 months after discovering the breach, on May 10, 2024, Superior filed a HIPAA breach report with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The company has also begun to notify affected individuals.
The protected health information (PHI) of 858,238 patients was stolen. The information contained in the copied files varies by individual. Still, it may include name, address, birth date, Social Security number, driver’s license or state identification number, financial account information, payment card information, patient record information, medical diagnosis or condition information, medical treatment information, and health insurance information.
Superior Air-Ground Ambulance Service, based in Elmhurst, IL, has 3,000 employees. It provides emergency medical services—including paramedics, rescue divers, ambulances, medical flights, and emergency medical equipment—in five Midwest states.
Breach Notification Rule
It is unclear why Superior waited so long to file a breach report.
The HIPAA Breach Notification Rule requires covered entities to report large breaches (affecting 500 or more individuals) to OCR no later than 60 days after discovery. They must also notify affected individuals “without unreasonable delay” but no later than 60 days after discovery.
Superior’s 60-day clock started on June 23, 2023. The 60-day window may be lengthened only at the direction of law enforcement investigating criminal activity or a threat to national security. Superior has not indicated whether law enforcement requested the delay, and the company has not responded to questions about the incident from Information Security Media Group.
Class Action Lawsuits May be Next
ISMG notes that several law firms are investigating claims by individuals affected by the Superior breach. If any of those lawsuits are filed, Superior will need to spend time and money defending them, along with an investigation from OCR, which investigates all breaches affecting 500 or more.
Among the top questions in an investigation or lawsuit will be:
- Does Superior have adequate cybersecurity defenses in place?
- Does Superior train its workforce on HIPAA and cybersecurity awareness?
- Has Superior completed a HIPAA Risk Analysis or security risk assessment? When was it performed?
- Why did Superior wait to report the breach and notify affected individuals?
HIPAA Compliance Saves Time and Money
With strong HIPAA compliance, you can reduce cyber risks and avoid the exorbitant costs of a data breach.
Not all cyber incidents are entirely preventable, but you can reduce the damage inflicted by a hack with strong cyber protections in place.
The HIPAA Security Rule requires regulated entities to have certain Administrative, Physical, and Technical Safeguards to reduce security breaches and theft. HIPAA policies, a risk management plan, and workforce training work together to defend against privacy and security breaches. Using the Security Rule Checklist in The HIPAA E-Tool®, it’s easy to cover all the bases.
Solid policies and procedures also help defend investigations and lawsuits. A company that can prove it was careful and tried to protect patient privacy is less likely to be found negligent in a lawsuit and less likely to pay civil penalties in an OCR investigation, even when its efforts did not completely stop a theft.