In August 2019, the healthcare company notified 33,730 patients that their personal health information may have been exposed in a data breach at a third party provider of billing collection services. The third party provider disclosed the data breach to the company in June 2019 and it's unclear why the company delayed their disclosure to those affected.
It is believed an unauthorized person may have had access to the provider's systems for eight months between 1st August 2018 and 30th March 2019. Presuming the unauthorised access cessation coincided with the event's discovery, it's unclear why there was a two month delay disclosing the event to the company. That same month the third party provider filed for bankruptcy protection as a result of costs associated with the breach.
In March 2021, the third party provider reached an agreement with 41 states to resolve a multi-state investigation into this data breach.
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
We've done the analysis so you can make the decisions