The following refers to a May 4 letter from St. Francis Healthcare Partners that G.B. of Windsor Locks received, saying that on Dec. 30 it was the victim of a sophisticated cybersecurity incident “where an unauthorized individual potentially accessed some protected health information.” On March 20, St. Francis wrote, it learned that some of G.B’s medical information may have been taken, but not his Social Security number or financial information. The letter added, “we are notifying you so you can take measures to protect yourself, such as monitoring your health insurance claims information closely. … If you detect anything unusual please contact your health insurer.”
Q. I am very concerned that the enclosed letter I received last week [week of May 3] offers no ID protection and/or other assistance. I called and got a very “no big deal” response. There are federal laws protecting our medical records for goodness sake! It is called HIPAA [the Health Insurance Portability and Accountability Act of 1996]!!
My medical history has been completely compromised. Not okay! And note the incredibly casual tone of the letter. The patient is supposed to monitor THEIR mistake?? Also, the timeline: Hacked in December, just found out about it NOW!! Any help you can provide would be appreciated. G.B., Windsor Locks
A. I contacted St. Francis and asked why it didn’t offer free ID theft and/or security monitoring, what is required after a security breach reveals a patient’s private medical data and other personal information, and what its policy on such breaches is.
But first I checked HIPAA, the state Department of Public Health, the state Department of Consumer Protection, and the Federal Trade Commission for what’s required and what isn’t.
HIPAA does not require St. Francis to offer credit monitoring, but does require notice to affected patients with steps they can take to mitigate risk and protect victims from harm.
The FTC says that if you experience a breach of unsecured personal health information, the entity suffering the breach must notify each affected person “without unreasonable delay” — and within 60 calendar days after discovery.
In your case the breach was discovered on Dec. 30, and the breach of your information was discovered on March 20, the hospital said. You were notified in less than 60 days from March 20, which would comply with FTC requirements. However, the FTC rule also says the countdown begins the day the breach becomes known to someone in the hospital — or the day someone should reasonably have known about it. The 60 days ended in February, so St. Francis violated that rule and can be subject to an FTC complaint.
If the breach involves the information of 500 people or more, the hospital must notify the FTC within 10 business days after discovery. If fewer than 500 people, the FTC must be notified within 60 calendar days following the end of the calendar year. Again, that would be at the end of February.
DCP spokeswoman Lora Rae Anderson said people must report data breaches to the state Attorney General, but the breach notice law includes Social Security number breaches, not medical information. DPH says you should send your complaint to its Facility Licensing Staff.
St. Francis and its parent Trinity Health of New England responded, saying, “No financial information, including Social Security numbers, were included in the incident. Saint Francis Healthcare Partners currently has no indication that any patient information was actually accessed or misused, nor is aware of any reports of identity theft or fraud. … Saint Francis Healthcare Partners has been in direct communication with [G.B.] to provide additional information.”
You then emailed me that you did get some free service after all. “I got a lukewarm response from Saint Francis offering me one year ID protection,” you said, adding, “I submitted a complaint to DPH and was assigned an advocate, but I will resubmit.”
I hope I helped by prodding St. Francis.
Those who think they’ve been a victim of identity theft should visit: identitytheft.gov