Health Quest is in the process of sending breach notification letters to certain patients concerning a 2018 phishing attack.

Health Quest posted the breach notification on their website on April 2, 2019. According to the notification, the breach affected patients of Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services.

Patient information was compromised following a successful phishing attack on Health Quest’s systems. The hacker compromised several employee email accounts and therefore was afforded access to all emails and email attachments in the account. As these messages and documents contained sensitive patient information, the event constituted a data breach.

Following a thorough examination of the compromised accounts, the investigators determined that the hacker may have accessed patient information including names, diagnoses, treatment information, dates of service, provider names, health insurance claims information and other information related to services received during the period between January and June 2018.

The attack occurred in July 2019, and Health Quest discovered the attack later that same month. They immediately took steps to secure the account and block unauthorized access. However, according to Health Quest, it was not until January 2019 that they discovered the compromised accounts contained health information. Health Quest has yet to disclose why it took so long for them to determine that the compromised email accounts contained potentially sensitive information.

According to Health Quest, “On January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information.”

As a result of this delay, breach notification letters were only sent 11 months after the incident was discovered, and nearly 5 months after the accounts were discovered to contain sensitive information. Affected individuals should receive their notification letters by June 10, 2019.

Quest Health has since implemented multi-factor authentication and has strengthened email security to prevent further breaches.

The delay in notifying individuals could constitute a violation of HIPAA’s Breach Notification Rule. HIPAA requires covered entities (CEs) to send breach notification letters within 60 days of the discovery of the breach. OCR must also be notified of the breach within 60 days. Health Quest’s delay of nearly a year is clearly outside of this timeframe.

It is possible that Health Quest delayed sending letters until they could fully determine which individuals were affected by the breach. However, the 60-day period starts once the breach is discovered, not when the individuals are identified. CEs usually submit an initial breach report to OCR and add adenda once more information is discovered.

State attorneys general and OCR have taken action against organizations in the past over delayed breach notifications and have issued regulatory fines. It is yet unknown if any action will be taken against Health Quest for their delay in taking action.