Mental Health Clinic Notifies Patients 6 Months After HackPII, PHI for 35,000 Individuals Potentially Stolen in Incident
A Philadelphia-based mental health services provider has begun to notify 35,000 individuals that their health and personal information was potentially viewed or stolen by hackers in a data security incident discovered more than six months ago.
In a Sept. 17 statement, Horizon House says that it is informing staff and participants of a data security incident detected on March 5 that "may impact the privacy" of their personal information.
Horizon House provides services for patients with behavioral health needs and intellectual and developmental disabilities, as well as emergency housing for the homeless.
The U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, shows that Horizon House reported the hacking/IT incident involving a network server on Sept. 17 as affecting nearly 28,000 individuals.
But in a breach report filed that same day to the state of Maine's attorney general, Horizon House said the "external system breach/hack" affected more than 35,000 individuals, including one Maine resident.
Horizon House says it became aware of suspicious activity in its systems on March 5. "We immediately launched an investigation to confirm the full nature and scope of the incident and restore functionality to impacted systems," says a notification statement posted on Horizon House's website.
Horizon House says it learned that certain information stored within its environment was potentially "viewed or taken by an unknown actor" between March 2 and March 5. "On or about Sept. 3, after reviewing the potentially impacted files, we confirmed that certain personal information was included in those files," the statement says.
The type of information contained in the affected systems included individuals' names, addresses, Social Security numbers, driver’s license and/or state identification card numbers, dates of birth, financial account information, medical claim information, medical record numbers, patient account numbers, medical diagnoses, medical treatment information, medical information, health insurance information, and medical claim information, the organization's website says.
But a sample notification letter Horizon House provided to the Maine attorney general's office indicates passport numbers were also potentially exposed, as well as "financial account number or credit/debit card number in combination with security code, access code, password or PIN for the account."
Horizon House says in its notification that that it is unaware of any of the affected information being misused.
Some experts say the nature of the incident, data affected and apparent lag in notification are worrisome.
"One of my immediate concerns about this higher-risk breach is the trauma that could be caused for the 35,000 victims," says Jim Van Dyke, senior vice president at security firm Sontiq, which analyzes and rates the severity of data breaches based on the type of information compromised. Sontiq rates the Horizon House breach "an unusually very high 7" on its 1-10 breach risk severity scoring system, Van Dyke notes.
"This breach earns a particularly high score because of the breadth of high-risk ID credentials exposed, including drivers’ license numbers, which can enable new financial account fraud, impersonation with law enforcement agencies, and other crime, he notes.
The risk of medical identity theft is also high, he says.
"It is particularly concerning to see psychiatric patients affected by this," he notes. "It’s quite problematic that the notice was delayed by many months, as research finds that the identity crimes enabled by data breaches can occur immediately after data exposure," he says.
'Especially Vulnerable' Individuals
Privacy attorney David Holtzman of the consulting firm HITprivacy offers a similar assessment.
"Individuals with developmental disabilities and those receiving long-term residential treatment are especially vulnerable for identity theft because they do not know to watch for the warning signs that can tip you off to the fact that someone is misusing their personal information and committing fraud," he says.
For example, many of these individuals are not likely to receive notices from government agencies about applications for benefits using their Social Security number, or a notice from the IRS that the patient’s Social Security number was used on another tax return, he notes.
Horizon House did not immediately respond to Information Security Media Group's request for additional breach details, including the type of hacking incident and reasons for the apparent lag between the time the incident was discovered and when affected individuals were notified.
Deadline to Report
Under HIPAA, healthcare entities must notify affected individuals of a breach of unsecured protected health information within 60 days of discovery. Breaches affecting 500 or more individuals must also be reported to the HHS' Office for Civil Rights within the same time frame.
Nonetheless, much longer delays between the discovery of a data security incident and breach notification of affected individuals appear to be a fairly common problem among some healthcare provider organizations (see: Notification of Breach Affecting 219,000 Delayed).
For example, Georgia-based medical specialty practice Atlanta Allergy & Asthma apparently waited up to seven months to begin notifying - in August - thousands of individuals affected by a security incident it says it "identified" in January.
Other recent examples of delays between the discovery of a data security incident and notification of affected individuals include situations involving vendors.
For instance, California-based healthcare provider LifeLong Medical Care just recently began notifying 115,000 individuals that their PHI potentially had been acquired by hackers in November 2020 ransomware incidents involving its third-party cloud-hosting vendor Netgain (see: Ransomware, Vendor Breaches Spike on Federal Tally).
"It is very risky to put off breach notification until a forensic analysis can determine with certainty precisely which specific files were compromised" in a data security incident, Holtzman says.
"The HIPAA Breach Notification Rule requires that notification be made when there is a greater than low risk of comprise to unsecured PHI," he says.
Presumption of Compromise
HHS OCR guidance instructs entities that a cybersecurity incident or ransomware event is presumed to have been an unauthorized use or disclosure of PHI, Holtzman notes.
"In the case of a healthcare provider whose entire system is 'locked up' in a ransomware attack, they should reasonably know that all the PHI has been compromised," he says.
Federal regulators have imposed penalties following a handful of incidents involving delayed breach notification.
For example, in January 2017, HHS OCR hit Illinois-based Presence Health with a $475,000 HIPAA settlement and corrective action plan in the agency's first enforcement action involving the failure to provide timely breach notification to individuals (see: $475,000 HIPAA Penalty for Tardy Breach Notification).
In that case, OCR said it had received a breach notification report on Jan. 31, 2014, from Presence Health about a paper records breach discovered about fourth months earlier that had affected the PHI of 836 individuals.