Lucent Health Solutions, LLC, a third-party health plan administrator, experienced a data breach in October 2023 that exposed individuals’ protected health information (PHI). However, affected individuals were only notified in January 2025, far beyond the Health Insurance Portability and Accountability Act (HIPAA) mandated timeframe.
Lucent Health Solutions, LLC ("Lucent Health"), a Tennessee-based third-party health plan administrator, reported a data breach involving individuals’ PHI. The breach was caused by a phishing attack on October 2, 2023, when a manager unknowingly opened a phishing email from a trusted broker, granting unauthorized system access.
Lucent Health detected suspicious activity, launched an investigation, and confirmed that an unauthorized party may have accessed names, Social Security numbers, dates of birth, demographic details, medical diagnoses, and health insurance information.
Despite this, affected individuals were only notified nearly 16 months later, on January 30, 2025.
In its breach notice to the California Attorney General, Lucent Health stated, “After an extensive forensic investigation, Lucent Health determined that one email was subject to unauthorized access for a limited period (approximately 90 minutes) and that the unauthorized individual queried selected search terms.”
“The cybersecurity firm confirmed no information was downloaded or electronically transferred from the email account, and they did not identify evidence that the unauthorized individual actually viewed any information.”
Nonetheless, Lucent Health is providing affected individuals with 24 months of complimentary identity monitoring services.
HIPAA requires covered entities and their business associates to notify affected individuals of a data breach without unreasonable delay and no later than 60 days after discovery.
Notification must include details about the breach, the types of information exposed, and steps individuals can take to protect themselves. If a breach affects more than 500 individuals, the entity must notify the Department of Health and Human Services (HHS) and the media.
As a business associate, Lucent Health handles PHI on behalf of covered entities and is subject to HIPAA regulations, including breach notification requirements.
Consequently, Lucent Health’s 16-month delay in notifying affected individuals raises questions about compliance and potential regulatory consequences.
Go deeper: HIPAA breach deadlines healthcare organizations need to know
Delayed breach notifications can increase the risk of identity theft, fraud, and misuse of sensitive data. Therefore, covered entities and their business associates must notify affected individuals within 60 days of discovering the breach so individuals can better protect their information.
Read also: How to respond to a suspected HIPAA breach
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromising the privacy and security of protected health information (PHI) can lead to severe penalties, including fines and reputational damage.
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the HIPAA and its business associates. The purpose of this agreement is to ensure the proper protection of PHI as required by HIPAA regulations.
Yes, healthcare organizations can be held accountable for HIPAA breaches caused by their business associates if the breach occurred while the business associate acted within the terms of their agreement.