HIPAA Alert: You made a mistake. Tell your customers now, not later.

HIPAA Alert: You made a mistake. Tell your customers now, not later.

by ih-coc admin

Earlier in August, the New York Fire Department (FDNY) admitted that an employee’s personal hard drive was stolen and thousands of EMS patients may have had their information compromised. It was good that they gave notice about the incident, but unfortunately, that notice came out five months after they themselves first learned about it.

This is almost immediately following a reveal in July, when Tennessee Health Group announced that an employee’s email had been accessed. However, the actual discovery was made in May.

These incidents highlight a recent study about why it’s so important to disclose data breach exposure sooner rather than later.

New York Fire Department Data Breach

The theft in question affected 10,253 people treated or taken to the hospital by FDNY EMS ambulance at any point between 2011 and 2018. That large of a net also included 2,988 Social Security numbers. The theft of the employee’s personal, unencrypted external hard drive was discovered on March 4th, and the device contained thousands of pieces of “protected health information” (PHI) and “belonged to an employee authorized to access FDNY patient information,” according to FDNY. It wasn’t until the first week of August that FDNY notified patients of the risk.

Tennessee Health Group Data Breach

We actually covered this one before in a previous article. Three Rivers Community Health Group in Tennessee reported that an “unauthorized individual” gained access to the email account of an employee. As a result, names, dates of birth, dates of service, physicians’ names, prescription information, health insurance group, and ID numbers were exposed, affecting 3,812 patients. The breach was discovered in May, but the official public announcement wasn’t given until July, and the actual breach occurred much earlier than that.

Why Timely Data Breach Notifications Matter

As we’ve said before, when data breaches occur, customers lose faith in the company - particularly if they feel they’re being lied to or otherwise perceive disingenuity on the part of the organization in question. But according to a new study from Experian, “If the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum.”

And frankly, public perceptions aside, it’s mandatory by law. The Breach Notification Rule outlined explicitly in the Health Insurance Portability and Accountability Act (HIPAA) clearly states that notification is required to be issued to breach victims “without unreasonable delay and no later than 60 days from the discovery of the breach.” However, according to the study, a majority of patients expect to be notified much more quickly. In fact, 73% of patients/plan members expect to be notified about a breach within 24 hours of the breach being discovered. From the point of view of a customer who may have just had their lives turned completely upside down thanks to your company, that’s understandable.

Mistakes happen. It’s human nature, and it’s expected. But admitting to your mistakes is a completely necessary step in restoring your customers’ faith. Doing so right away instead of sitting on the information is proven to show that you’re human too - instead of a faceless corporation with canned PR responses.

And with our help, you’ll make even fewer mistakes in the first place.

Take Action Now

Does your organization have a HIPAA breach notification policy and more importantly, procedures to follow?  If not, we can develop one for you as part of our comprehensive package of HIPAA services.  Give us a call today at 800-733-6379 or drop us an email at info@cchipaa.com for a free, initial consultation.