New York-based non-profit Jewish Home Lifecare, Inc., operating as ‘The New Jewish Home’ experienced a data breach that exposed the sensitive personal and medical information of 104,234 individuals.
Although The New Jewish Home discovered the breach in January this year, they only began notifying affected individuals on August 16, 2024, violating HIPAA’s Breach Notification Rule.
On January 7, 2024, The New Jewish Home experienced an external system breach (hacking) that compromised individuals’ personal information, including their names, Social Security numbers, addresses, dates of birth, and other personal identifiers.
Despite the severity of the breach, The New Jewish Home did not notify the affected individuals until August 16, 2024, when they finished their investigation.
Furthermore, their initial report to the Department of Health and Human Services (HHS) on March 3, 2024, stated that only 501 individuals were affected, but the updated count now stands at 104,234.
The New Jewish Home public notice claims it “observed unusual activity on [their] network and took immediate action to investigate and contain the incident.”
According to their notice to affected Maine residents, the organization has “no evidence to suggest that any information has been or will be fraudulently misused.”
HIPAA requires covered entities to notify affected individuals “without unreasonable delay”, and within 60 days of discovering a breach involving protected health information (PHI).
Furthermore, HIPAA mandates that if a breach impacts 500 or more individuals, it must also be reported to the Department of Health and Human Services (HHS) and potentially to the media.
Go deeper: HIPAA breach deadlines healthcare organizations need to know
Exposing personal information puts individuals at risk of identity theft and financial fraud. So, covered entities must promptly inform affected individuals if their personal information has been compromised to minimize the potential damage.
While The New Jewish Home has notified affected individuals, the organization must improve its cybersecurity to prevent future breaches and safeguard patient trust.
Additionally, affected individuals should enroll in the complimentary credit monitoring and identity protection services offered.
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.