Email breach bypasses notification period of HIPAA Breach Notification Rule

Primary Health Care in Des Moines, Iowa, recently announced an email breach of its system one year after discovery. This exceeds the timeframe outlined in the HIPAA Breach Notification Rule, which states that organizations are required to report a breach within 60 days of discovery.

While the breach was discovered March 1, 2017, it was not reported until March 16, 2018, according to the OCR breach portal. The breach affected the information of 10,313 individuals, including credit or debit card information, Social Security numbers, phone numbers, patient names, and financial account details, stated Primary Health Care in a recent notice.

The hacker gained access to patient information through unauthorized access of four employee email accounts on February 28, 2017. The organization is currently notifying affected individuals and has arranged 12 months of identity protection services. Primary Health Care did not provide details on why the notification letter was released one year after the initial breach discovery.