Last week we wrote about how phishing is increasing in the healthcare sector, and ways to fight back against phishing with a good HIPAA Risk Analysis and workforce security training. Today we want to focus on what to do after phishing hits – if you think a HIPAA breach has occurred.
We recently heard about a devastating phishing event that may have affected 200,000 patients at a healthcare network in California – they waited seven months before letting patients know and reporting the event to the Office for Civil Rights (OCR), the federal agency that enforces HIPAA.
PIH Health, a regional healthcare network based in Whittier, California, says that it discovered a phishing incident in June 2019 that it eventually reported to the Department of Health and Human Services and OCR on January 10, 2020.
We covered how to manage a HIPAA breach in August 2019. The tricky part for PIH Health is that they may not have known, or been convinced, an actual breach occurred, and it took many months for them to finish the breach investigation.
They took the right step to investigate. Not every security incident results in a HIPAA breach. Whether a breach occurred depends on the facts in the situation. In this case, email accounts were compromised, so questions include whose emails were compromised, what was contained in those emails, and what security measures were in place? If computers, laptops and smart phones contained protected health information and were not encrypted, it likely was a breach.
Details about what happened at PIH Health are not publicly known yet, but ultimately they decided it was a reportable breach and they set about notifying the 200,000 affected individuals, and reporting it to the media and OCR, all required by HIPAA.
OCR Will Investigate this HIPAA Breach
Apparently PIH Health finished its investigation four months after they first discovered the phishing attack – by November 12, 2019 they had concluded that protected health information was compromised. But then they waited until January 10, 2020 to report the breach to OCR just one day short of the 60 day maximum reporting period required by HIPAA.
This is a major HIPAA breach. We don’t yet know why PIH Health took 4 months to understand the June attack was a breach of unsecured protected health information or took almost 2 more months to report the breach to OCR. But we do know PIH Health is in trouble.
OCR automatically investigates breaches of this size.
State Privacy Law Also Applies
California, PIH Health’s home state, has much stronger laws than HIPAA covering breaches of medical information (must notify California Department of Health within fifteen days following discovery of the breach). HIPAA preempts state law, except where the state law is more strict. It is not clear whether PIH Health complied with applicable California law.
Class Action Lawsuit May Be Next
This number of 200,000 patients provides a likely pool of clients willing to join a class action lawsuit against PIH Health. Although HIPAA does not give individuals a private right to sue, lawyers are finding creative ways to use HIPAA standards to file lawsuits in egregious cases, using negligence, privacy law, and contract law, and judges are agreeing. We already know of one law firm advertising to find clients to sue PIH Health.
Trends in HIPAA Compliance
This breach highlights two notable trends.
- Hospitals struggle with HIPAA compliance on an enterprise-wide basis as noted by a study of 83 hospitals published in the Journal of the American Medical Association (JAMA) that found widespread noncompliance with the basic right of patients to have access to their own health information. See more on right of access here and here.
- Class action lawsuits based on violations of health information law are becoming an everyday occurrence.
Help With HIPAA Breach Notification
The HIPAA E-Tool® has all the answers needed to manage a potential breach investigation. You can handle it confidently and calmly with our Breach Risk Assessment Tool, the right forms, the right questions, a timelines, and draft notices to the media and affected persons. All the specific legal citations are included, a shortcut for lawyers who may be helping you, saving time and legal costs.
And we are a phone call away to help.