Apria Healthcare on May 22 notified over 1.8 million patients and employees that their personal, financial and health data was accessed during a systems hack. However, the home healthcare equipment vendor first learned of the breach more than 18 months ago.
The Health Insurance Portability and Accountability Act requires covered entities and connected vendors with access to protected health information to inform patients of compromises to protected health information without delay.
HIPAA’s breach notification rule “requires covered entities to report breaches affecting 500 or more individuals to the affected individuals, to OCR, and (in certain cases) to the media without unreasonable delay and no later than 60 calendar days from discovery.”
Despite the plain language, it’s a rule often overlooked by reporting entities — usually attributed to lengthy investigations.
Given a rise in hacking incidents and delayed breach notices, the Department of Health and Human Services recently issued a reminder to healthcare organizations about the importance of timely response to security incidents, as hacking is “the greatest threat to the privacy and security of protected health information.”
Apria’s breach notice, however, does not explain why it took far outside the maximum timeframe to inform patients that their data had been compromised.
The company was first notified that “select” systems were accessed by an unauthorized third party on Sept. 1, 2021. Apria quickly worked to mitigate the incident and contacted the FBI, as well as an outside forensics team, to investigate and securely resolve the incident.
Investigators determined the access occurred in two months-long time periods: from April 5, 2019, to May 7, 2019, and again from Aug. 27, 2021, to Oct. 10, 2021. Officials said they believe “the purpose of the unauthorized access was to fraudulently obtain funds from Apria and not to access personal information of its patients or employees.”
Apria found no evidence funds were removed. But a “small number of emails and files were confirmed to have been accessed, but there is no proof that any data was taken from any system.”
The “potentially accessed” information varied by individual and could include personal, medical, health insurance or financial information. Some Social Security numbers were also exposed. All affected patients will receive identity protection services.
Apria has since conducted a “thorough review of the potentially affected systems” and added further security measures to prevent a recurrence. Officials said, “we take the protection and proper use of your information very seriously.”
David Bailey, vice president of consulting services at Clearwater, said several of the steps reportedly taken by Apria are recommended to any organization dealing with a cyber incident: respond immediately, mitigate the threat, determine the impacts, and return to normal operations.
"It's critical organizations follow the appropriate federal and state guidelines for reporting of data breaches," Bailey continued. "In the case of Apria, there will be a focused attention on the decision to not report nearly 18 months ago. As new and updated laws and regulations are published, there is potential for those timelines to shorten from the 30- or 60-day limits."
Even with nearly 2 million impacted individuals, it's still only the the fifth largest healthcare data breach reported by a single entity so far this year.