Breach Notification Deadline is February 29th

February 16, 2024March 1, 2024 Margaret Young Levi data breach; notification, Data Privacy & Security Breach Notification, Cyber Security, data breach, healthcare sector, HHS OCR Deadline, HIPAA

By: Margaret Young Levi

Head’s up! The deadline for notifying the Office for Civil Rights (OCR) of healthcare data breaches affecting fewer than 500 individuals is early this year. Reports of small data breaches may be submitted to OCR annually, usually on March 1st, but because 2024 is a leap year, the reports are due on or before Thursday, February 29^th.

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities to provide notification following a breach of unsecured protected health information (PHI) to affected individuals, to OCR, and, in certain circumstances, to the media.

HIPAA covered entities must notify all individuals whose PHI has been impermissibly used or disclosed without unreasonable delay, and in no case later than 60 days from the discovery of a breach.

Reporting to OCR is accomplished by electronically submitting a breach report form. If a breach affects 500 or more individuals, then covered entities must submit the breach report to OCR without unreasonable delay and in no case later than 60 days following a breach. If, however, the breach affects fewer than 500 individuals, then the covered entity may choose to submit such breach reports on an annual basis. (Note that covered entities must submit a separate breach report for each breach incident and cannot combine them.) Annually submitted breach reports are due to OCR no later than 60 days after the end of the calendar year in which the breaches are discovered, which falls on February 29, 2024. In addition to notifying the individual and OCR, covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more. Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

Apache Log4j Vulnerability in Java Applications May Pose Risk to Confidential Company and Personal Information

December 17, 2021January 19, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, data breach; notification, Data Privacy & Security Breach Notification, data theft, Java application vulnerability, Log4j, ransomware, unauthorized access

By: Kathie McDonald-McClure

On December 11, 2021, the United States Cybersecurity & Infrastructure Security Agency (CISA), issued a Statement regarding what it called a “critical vulnerability affecting products containing the log4j software library”. This Statement emphasizes that end users are reliant on their vendors to inform them about the vulnerabilities and to develop patches to protect against the vulnerabilities. Separately, CISA established a webpage for Apache Log4j Vulnerability Guidance that CISA is continually updating to impart further guidance and vendor information as they become available. End users should be on the lookout for critical patches from their vendors.

According to the CISA Guidance, the Log4j vulnerability is being widely exploited by a growing set of malicious actors to steal information, launch ransomware attacks, or conduct other malicious activity such as taking over a company server to mine cryptocurrency. At least 10 major technology vendors have issued statements that one or more of their products have been affected by the Log4j vulnerability: Cisco, IBM, VMware, Amazon Web Services (AWS), Fortinet, Broadcom, ConnectWise, HCL Connections, N-Able, and Okta.[1] On December 15, 2021, the Microsoft 365 Defender Threat Intelligence Team reported that a new family of ransomware, called Khonsari, is being deployed via the Log4j vulnerability on non-Microsoft hosted servers.

Continue reading →

KRONOS Payroll Ransomware Attack Implicates Potential Data Breach Notification Obligations

December 17, 2021January 19, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, data breach; notification, Data Privacy & Security Breach Notification, KRONOS Privacy Cloud, Log4j, personal information compromise, ransomware, UKG, unauthorized access

By: Kathie McDonald-McClure

UKG, Inc., a company that provides payroll support services known as KRONOS for many U.S. companies, began notifying its customers on December 12, 2021, that the KRONOS Private Cloud (KPC) had been attacked by ransomware. (See UKG Kronos Private Cloud Status Updates.) The KPC products include Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. UKG reports that the KPC solutions may be unavailable for “several weeks.” Affected companies are diligently working to find alternative solutions to process their payrolls in the interim. UKG has created a KPC Incident Resource Hub to assist customers impacted by the KPC disruption in services.

The American Hospital Association (AHA) reported that the ransomware attack has impacted many hospitals and health systems that rely on KRONOS for timekeeping, scheduling and payroll. John Riggi, AHA’s Senior Advisor for Cybersecurity and Risk, said, “A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients. … This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. … [W]e urge all third-party providers that serve the health care community to examine their cyber readiness, response and resiliency capabilities.”

In addition to the immediate payroll issues, if the ransomware attack compromises employee personal information, then it may trigger a data breach notification for these employers under state breach notification laws.

Continue reading →

Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

February 24, 2014March 12, 2014 Erin Brisbay McMahon Federal Law Resources, Health Information Technology Breach Notification, data breach, Health Information Technology, HIPAA breach, privacy and security of protected health information, security of protected health information

The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned? Continue reading →