Will Beacon Health Solutions’ incident prompt OCR to start enforcing notification “without undue delay?”

The following is a DataBreaches.net commentary. Beacon Health Solutions issued a press release yesterday about a breach they experienced last year as a business associate.  Their press release provides a useful example of why OCR needs to get serious about enforcing the requirement that entities notify patients within 60 days of “discovery.” “Discovery” does not mean when an entity finally finishes figuring out whom to contact.  “Discovery” means the date that a covered entity knows, or by reasonable diligence should have known, that a breach of unsecured PHI has occurred.  The entity then has an obligation to notify the relevant parties (individuals, HHS and/or the media) “without unreasonable delay” or up to 60 calendar days following that date. As applied to a business associate, § 164.410 Notification by a business associate. (a) Standard – (1) General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. (2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency). (b) Implementation specifications: Timeliness of notification. Except as provided in § 164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Keep that in mind as you read Beacon Health Solution’s press release, issued yesterday: TAMPA, Fla., April 21, 2021 /PRNewswire/ — On October 5, 2020, Beacon Health Solutions, LLC (“Beacon”) experienced a data security incident that prevented users from accessing systems and data. Upon discovering this incident, Beacon immediately launched an investigation and engaged a digital forensics firm to help determine what happened and what information may have been accessed. On January 29, 2021, Beacon determined that personal information and protected health information belonging to certain individuals was acquired without authorization as part of the incident. But January 29 is not the date of “discovery,” despite what their notice might want you to believe.  On November 3, DataBreaches.net contacted Beacon to inquire about the breach, which had already been posted on the Sodinokibi threat actors’ leak site.  Getting no reply, DataBreaches.net emailed Beacon again on November 6 after REvil started dumping some of Beacon’s data on their site.  Again, Beacon did not reply. On November 9, DataBreaches.net reported the breach as part of a series of ransomware attacks in a report about timely notification called “Without Undue Delay.” On December 26, DataBreaches.net reached out to Beacon Health Solutions again — this time to Michael Friel, HIPAA Compliance Officer. That email said, in part: I contacted Beacon Health Solutions on Nov. 3 and on Nov 6 and got no response to either inquiry about the ransomware attack claimed by REvil (Sodinokibi) threat actors. It is now more than 60 days (and possibly more than 90 days?) since the threat actors attacked Beacon. Looking at their partial data dump, I see thousands of patients’ protected health information (PHI), from a number of your clients like OPTUM and HTA, as well as thousands of scans from your Lubbock mailroom. I also see appeals over denial of benefits, and files with EDI. What I don’t see anywhere is where Beacon Health has issued any notification of this breach. Where is the disclosure and notification? Have I missed it somewhere? Please email me a copy of your disclosure/notice or point me to the url where it appears. Or if you haven’t issued any, please explain why you haven’t. The following screencaps are listings of just some of the data the threat actors had dumped prior to that December 26 email from this site to Beacon. They are redacted by DataBreaches.net for this publication but were not redacted on the threat actors’ leak site.     Once again, Beacon did not respond. On January 5, DataBreaches.net posted an update to the report, noting that in the interim Beacon Health Solutions had reported the breach to HHS on December 11, but had still not posted any notice or substitute notice. Did they notify their clients (covered entities) on December 11, too?  Their press release does not say.  And yet now, in April, they claim that  “On January 29, 2021, Beacon determined that personal information and protected health information belonging to certain individuals was acquired without authorization as part of the incident.” On January 29?  Seriously?  OCR should not accept any claim that discovery was any time after the threat actors had already dumped proof and ePHI. But to continue with Beacon’s press release, they now report: The types of information potentially accessed varied by individual, but may have included name, address, Social Security number, driver’s license, medical information, and health insurance information. The specific types of medical information and/or health insurance information that may have been accessed include Member/Medicaid ID numbers, treatment/diagnosis information, dates of service, provider name(s), patient account number(s), and medical record number(s). Beacon reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable.  Impacted individuals were notified beginning on April 20, 2021.  The notification included information about this incident and measures that can be taken to protect personal information and protected health information, including free identity monitoring and recovery services.  To enroll in these services, affected individuals must call the toll-free number: 1-833-416-0905. Further information can be obtained at www.beaconh.com. About Beacon Health Solutions, LLC: Beacon is a third-party administrator (“TPA”) for managed care plans headquartered in Tampa, Florida. SOURCE Beacon Health Solutions, LLC Beacon reported this incident to HHS on December 11 as impacting 500 patients.  DataBreaches.net believed that the number was inaccurate based on the data the threat actors had already dumped. In fact, the threat actors claimed to have exfiltrated 600 GB of data:DataBreaches.netRead More