Apria Healthcare on May 22 notified over 1.8 million patients and employees that their personal, financial and health data was accessed during a systems hack. However, the home healthcare equipment vendor first learned of the breach more than 18 months ago.
The Health Insurance Portability and Accountability Act requires covered entities and connected vendors with access to protected health information to inform patients of compromises to protected health information without delay.
HIPAA’s breach notification rule “requires covered entities to report breaches affecting 500 or more individuals to the affected individuals, to OCR, and (in certain cases) to the media without unreasonable delay and no later than 60 calendar days from discovery.”
Despite the plain language, it’s a rule often overlooked by reporting entities — usually attributed to lengthy investigations.
Given a rise in hacking incidents and delayed breach notices, the Department of Health and Human Services recently issued a reminder to healthcare organizations about the importance of timely response to security incidents, as hacking is “the greatest threat to the privacy and security of protected health information.”
Apria’s breach notice, however, does not explain why it took far outside the maximum timeframe to inform patients that their data had been compromised.
The company was first notified that “select” systems were accessed by an unauthorized third party on Sept. 1, 2021. Apria quickly worked to mitigate the incident and contacted the FBI, as well as an outside forensics team, to investigate and securely resolve the incident.