On Monday, it was reported that Community Health Systems, which operates 206 hospitals across the United States, had a data breach that affected an estimated 4.5 million patients.
According to the statement filed by Community Health Systems, the breach was a result of a "criminal cyber-attack" believed to be from thieves operating out of China who stole "patient names, addresses, birthdates, telephone numbers and social security numbers." The statement also said "the company has confirmed that this data did not include patient, credit card, medical, or clinical information."
Community Health Systems said they are notifying each of the estimated 4.5 million patients and will offer identity theft protection to anyone affected by the attack. Further, to prevent any additional harm, the company managed to wipe the hackers' malware from their computer systems and implemented protections to "prevent similar" attacks.
How does the HIPAA Breach Notification Rule apply?
Under the HIPAA Breach Notification Rule, covered entities and their business associates are required to provide notification following a breach of unsecured protected health information. Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.
Protected health information (PHI) by definition is individually identifiable health information maintained or stored in electronic or any other form or medium. It includes medical, demographic, and financial information about the patient.
Because the information that was stolen in the Community Health Systems breach included demographic information (patient names, addresses, birthdates, telephone numbers and social security numbers), individual notices should be quickly provided to each of the estimated 4.5 million patients, no later than 60 days following the discovery of a breach.
What needs to be provided when notifying an individual of a breach?
Using Omnibus as a guide, the following are required to be included in a breach notification:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of unsecured protected health information that were involved in the breach.
- Any steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.
Media Notice
In addition to notifying the affected individuals, Community Health Systems should provide notice to prominent media outlets serving the State or jurisdiction because of the number of individuals affected. The media notification, such as a press release, must be provided without unreasonable delay and in no case later than 60 days the discovery of a breach and must include the same information required for the individual notice.
Notice to the Secretary
Finally, in addition to notifying the affected individuals and the media, the Secretary of the Department of Health and Human Services (HHS must be notified. The notification must be filled out and submitted electronically by visiting the HHS website (https://ocrnotifications.hhs.gov/). The notification must be provided without unreasonable delay and in no case later than 60 days from discovery of the breach.
Conclusion
Data breaches have the potential to cause harm to a large number of individuals. Unfortunately, this was the case for Community Health Systems. In the event of a breach, there are important notification requirements for covered entities and their business associates. For large breaches (breaches affecting 500 or more individuals), notices to affected individuals, media notice, and notice to the Health and Human Services Secretary must occur without unreasonable delay and in no case later than 60 days from discovery of the breach. As part of the notification process, it is important to provide: (1) any steps individuals should take to protect themselves from potential harm resulting from the breach; and (2) to provide a brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches. To address these notification requirements, Community Health Systems properly offered identity theft protection to anyone affected by the attack. In addition, the company managed to wipe the hackers' malware from their computer systems and implemented protections to "prevent similar" attacks.
If you experience a breach, please make sure to contact us so we can help you throughout the notification process. If you have any additional questions please do not hesitate to contact one of our professional consultants.