In what’s sure to raise questions, Dental Health Management Solutions, a Cedar Park, TX-based provider of dental management services, recently announced through its attorneys that certain patients’ PHI was exposed in a 2021 incident.
The provider said it detected a network intrusion on or around August 20, 2021. The forensic investigation conducted confirmed that the provider’s network was compromised on July 17, 2021, according to a notification to the Maine Attorney General made in February of this year.
A review confirmed that over 3,000 individuals’ protected health information was accessed or acquired in the attack. The provider said it has changed passwords and implemented multifactor authentication and offered affected individuals complimentary credit monitoring and identity protection services.
There are several unanswered questions that rise beyond the level of mere idle curiosity:
- Why did it take 18 months from the date of the breach’s discovery for a notification letter to be sent? HIPAA requires notifications be issued within 60 days of a breach.
- Why has a data breach report not been filed with U.S. Department of Health and Human Services, Office for Civil Rights, as required by law?
- Why was the data breach notification filed (to date) only with the Maine Attorney General’s office? This breach notification stated only one Maine resident was affected. Does this mean the 3,000 or so other affected patients in other states haven’t been notified that their PHI was compromised?
For all of you providers out there, this is the perfect opportunity to do a quick review of HIPAA data breach notification requirements.
HIPAA Data Breach Notification Requirements
Who Must Be Notified
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to the following:
- Affected individuals
- Secretary of Health and Human Services (HHS) and in certain circumstances…
- …the Media
- Business associates must notify covered entities if a breach occurs at or by the business associate.
When Breaches Must Be Reported
For Breaches Affecting Fewer than 500 Individuals
If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.)
For Breaches Affecting 500 or More Individuals
If a breach of unsecured protected health information affects 500 or more individuals, a covered entity MUST:
- Notify the Secretary of the breach without unreasonable delay, and in no case later than 60 calendar days from the discovery of the breach.
- Submit the notice to the Secretary of HHS electronically by clicking on the link to the HHS website below and completing all required fields of the breach notification form—regardless of the date by which the breach must be reported.
- Provide notice to prominent media outlets serving the State or jurisdiction if they experience a breach affecting more than 500 residents of a State or jurisdiction. (This is in addition to notifying the affected individuals and notifying HHS.) Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.(An extensive search of the internet has been unsuccessful in identifying any such media notices associated with the DHMS breach.)
For a deeper dive into the HHS requirements regarding breach notification rules, please see the HHS’ web page outlining them in more detail.