Florida-based EmCare has announced that an estimated 60,000 files were compromised by a hack of several employee emails. Phishing emails are the source of a large share of patient data breaches in reported HIPAA breaches.
The breach reportedly included demographic and clinical data for patients, contractors, and employees. Social security number and driver’s licenses were exposed in some files, according to the announcement.
There is no evidence to suggest that the information has been misused, or that anyone will attempt to misuse the information, according to the official announcement. In addition, EmCare is not aware of any individual who has been impacted by fraud or identity theft as a result and does not know if any personal information was actually obtained by an unauthorized party, EmCare advised. For the subset of patients and employees whose Social Security or driver’s license numbers were impacted, EmCare has arranged for identity protection and credit monitoring services. Notices to those affected began being mailed April 17.
Some media stories on the breach are raising the inference that the announcement may have been tardy in issuance, since the announcement was made 60 days after the confirmation of the breach, according to the breach announcement. HIPAA rules require notification of PHI breaches affecting 500 or more individuals must be made within 60 days of discovery, not confirmation.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice. — https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html