Regional Care, Inc. (RCI) recently announced a data breach that exposed the sensitive information of over 225,000 individuals. The breach, detected on September 18, 2024, involved unauthorized access to the company's network, exposing personal and protected health information (PHI).
What happened
On September 18, 2024, RCI detected unusual activity within its computer network, indicating unauthorized access. A subsequent investigation confirmed that sensitive personal information and PHI was compromised, including names, dates of birth, Social Security numbers, medical information, and health insurance details.
RCI discovered the breach on November 8, 2024. In response, the company shut down its systems to contain the incident and launched a forensic investigation to determine the scope of the breach and identify affected individuals.
By the Numbers
The data breach affected over 225,000 individuals, with the breach detected on September 18, 2024. The investigation into the breach was completed by November 8, 2024, and notification letters were sent out to the affected individuals on December 16, 2024.
What they’re saying
Several law firms, including Edelson Lechtzin LLP and Strauss Borrelli PLLC, have initiated investigations into potential data privacy violations by RCI. These firms are exploring claims on behalf of individuals whose data may have been compromised, focusing on the adequacy of RCI's data security measures and the timeliness of their breach disclosure.
Key takeaways
RCI detected the breach on September 18, 2024, and completed the investigation by November 8, 2024. Notification letters were sent to affected individuals on December 16, 2024. This timeline indicates that RCI complied with the Breach Notification Rule, thus setting a standard for other organizations to act swiftly when a breach is detected, and follow HIPAA requirements after a breach.
FAQs
What is the Breach Notification Rule?
The Breach Notification Rule is part of HIPAA, requiring covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media, within 60 days of discovering a breach of unsecured PHI.
What are the HIPAA requirements after a breach?
HIPAA requires notifying affected individuals within 60 days, notifying HHS if the breach affects more than 500 individuals, and notifying the media if the breach affects more than 500 individuals. A substitute breach notice must be posted if 10 or more individuals lack up-to-date contact information.
What are the consequences of not following HIPAA breach requirements?
Non-compliance can lead to civil penalties, criminal penalties, reputational damage, and potential lawsuits. Civil penalties range from $141 to $2,134,831 per violation, and intentional violations can result in fines and imprisonment.
See also: What are the HIPAA requirements after a breach?
What happens when you fail to send a breach notification
