Navicent Health, a 5-hospital delivery system serving the Macon, Georgia region, was the victim of a cyberattack in the summer of 2018 and just now is announcing the incident to affected individuals and the HHS Office for Civil Rights, which enforces HIPAA privacy and security rules. HHS expects data breaches to be reported to the agency within 60 days.
The organization in its notice did not explain the considerable delay in reporting the breach and did not reply to a query on the reasons why. Navicent Health retained forensic security firms to help investigate the breach which resulted from email accounts being compromised, and it wasn’t until January 24, 2019, that the organization understood what data was at risk.
The data included patient names, dates of birth, addresses and limited medical information such as billing and appointments, as well as an unspecified number of compromised Social Security numbers. The attack did not impact computer networks or electronic health records.
For the most part, patients are on their own to deal with the data breach. Navicent Health is giving affected patients information on how to protect themselves from fraud, but is only offering identity theft protection services to an undisclosed number of persons whose Social Security number may be compromised.
“If individuals detect any suspicious activity, they should notify the entity with which the account is maintained and promptly report any fraudulent activity to law enforcement and their state attorney general,” affected patients were told. “In addition, anyone looking for information on fraud prevention can review tips provided by the Federal Trade Commission.”
The number of affected individuals has not yet been posted by the Office for Civil Rights. Navicent Health declined a Health Data Management request for additional information on how the breach was handled.