Ohio-based healthcare provider Prentke Romich Company (operating as PRC-Saltillo) filed a data breach notification with the Massachusetts Attorney General on September 12, 2024, after discovering unauthorized access to its network.
The hacking/IT incident exposed the personally identifiable information (PII) of 51,627 individuals. PRC-Saltillo immediately began notifying the affected individuals.
PRC-Saltillo's computer network initially reported suspicious activity on August 21, 2024. The subsequent investigation established that an unauthorized party accessed their network from August 13, 2024, to August 21, 2024, who copied files containing confidential consumer data.
On September 3, 2024, the company completed its review of compromised information and mailed letters providing notification of the breach to affected individuals on September 12, 2024. The incident was documented as a hacking incident on their network server and was reported to have occurred on September 25, 2024.
The PRC-Saltillo notification letter states, “We take the confidentiality, privacy, and security of information very seriously. In response to this event, we promptly took steps to secure our systems and commenced a detailed investigation to determine the full nature and scope of the event. As part of our ongoing commitment to the privacy of information in our care, we are reviewing our policies, procedures, and processes related to the storage and access to personal information.”
Exposing personal information puts individuals at risk of identity theft and financial fraud. Therefore, healthcare providers must promptly inform affected individuals if their personal information has been compromised to minimize the potential damage.
The affected individuals should probe into the information provided in the notification letters they received and possibly seek legal counsel.
Furthermore, PRC-Saltillo must improve its cybersecurity to prevent future breaches and safeguard consumer trust.
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and immediately report any unauthorized transactions.
Civil penalties for HIPAA violations can include fines ranging from $141 to $71,162 per violation, with an annual maximum of $2,134,831 per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.
Read also: Higher HIPAA penalties announced