Health Quest Over Delayed Sending of Breach Notifications to Patients

A phishing attack on Health Quest resulted to the exposure of the protected health information (PHI) of some patients.

The affiliates of Health Quest, namely Health Quest Medical Practice, Hudson Valley Newborn Physician Services and Health Quest Urgent Care were affected by the breach. The patients of the mentioned affiliates who received medical services had their information exposed.

On April 2, 2019, the breach notice posted on the Health Quest website mentioned the discovery of the breach by Health Quest. Because of the phishing attack, patient data included in emails and attachments associated with a number of employee email accounts were compromised.

Compromised PHI included the patients’ names, diagnoses, treatment data, dates of service, health insurance provider names, insurance claims details and other data associated to services acquired from January to June 2018.

Accounts were secured promptly upon the discovery of the breach. A top cybersecurity company investigated the incident. Health Quest also applied multi factor authentication to strengthen email security and avoid other breaches. The company mailed  breach notification letters to the affected people, which is expected to be received by June 10, 2019.

It seems that the breach notifications were sent within the time frame required by HIPAA (April to June). But the phishing attack really happened and was discovered in July 2018.

Health Quest said that its affiliates found email attachments containing some health data on January 25, 2019. Then on April 2, 2019, they confirmed that the files contained patient information. Therefore, breach notification letters were actually sent after 11 months from the day the email account compromise occurred, and after 5 months from the time it was discovered that health data may have been exposed. There is no explanation regarding the long delay in determining the breach of PHI.

Several breaches were reported lately that have occurred a few months back but the notifications were only issued after completing the investigations. It is understandable that notifications can’t be sent to affected persons until they are identified. However, the HHS made clear that it is required to report breaches immediately and within 60 days from discovering the breach.

The discovery date refers to the date of discovering the breach and not the date of being able to determine the total number of persons affected. OCR notifications should be sent within 60 days. If more information become available, for instance the total number of persons impacted, addenda to the breach reports can be sent again.

The OCR and State attorneys general have issued regulatory fines on companies that over delayed in issuing breach notifications.