After discovering a cybersecurity breach on October 4, 2023, Richland County, Wisconsin, only sent letters notifying affected residents in August. Several residents took to Facebook, questioning the county's response plan and demanding more transparency.
What happened
The Richland County government disclosed that the personal information of 76,365 residents was accessed by an unauthorized individual during a breach that occurred around October 2023. The Richland County statement, issued on August 1, 2024, noted that resident files were reviewed, and notifications were sent to affected individuals.
While the county has assured residents that there is no evidence that their personal information was misused, many took to Facebook, voicing their concerns on the Richland Rants and Chats page and in the comments of a post by the Richland County Sheriff's Office. Concerns were raised about the 11-month delay in notification, leading to frustration among residents and questions about the county's response.
What was said
Cheryl Dull, a local resident, expressed frustration over the delayed disclosure, stating, "This should have been disclosed way before 11 months following a hack."
Richland County Board Supervisor Alayne Hendricks echoed these concerns saying, "Something is really wrong here."
In the know
HIPAA requires a covered entity to notify affected individuals "without unreasonable delay," generally defined as within 60 days following the discovery of a breach of PHI.
If the breach involves 500 or more individuals, the incident must be reported to HHS and the media in some cases.
Go deeper: HIPAA breach deadlines healthcare organizations need to know
The bottom line
As data breaches become more common, the county must improve its cybersecurity to prevent future breaches and improve resident trust.
Furthermore, any organization that handles personal information must have communication protocols in place to deal with the aftermath of cybersecurity incidents and inform affected individuals within 60 days of discovering the breach.
Go deeper: Navigating HIPAA’s Breach Notification Rule
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
How can covered entities protect themselves from cyberattacks?
Covered entities must use HIPAA compliant platforms, like Paubox, which offer multi-factor authentication, access controls, and a secure cloud service to safeguard protected health information (PHI).
Additionally, regular HIPAA training can help staff avoid clicking on suspicious links or downloading files from untrusted sources, protecting the organization from ransomware attacks.
What can individuals do if their data has been compromised?
If an individual suspects their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Furthermore, they should use identity theft protection services and credit monitoring to track misused information.
See also: How to respond to a data breach
