Navicent Health alerting patients about data breach this past summer
Navicent Health was victimized by a cyberattack this past summer, only reporting the breach to federal agency in the last few days.
The organization, a five-hospital delivery system serving the Macon, Ga., metropolitan area, has begun publicizing the incident to affected individuals and the HHS Office for Civil Rights, which enforces HIPAA privacy and security rules. HHS expects data breaches to be reported to the agency within 60 days.
In its notice, the organization did not explain the delay in reporting the breach. Navicent Health retained forensic security firms to help investigate the breach, which resulted from email accounts being compromised, but it wasn’t until this past January that the organization understood what data was at risk.
The data included patient names, dates of birth, addresses and limited medical information, such as billing and appointments, as well as an unspecified number of compromised Social Security numbers. The attack did not impact computer networks or electronic health records.
Navicent Health is giving affected patients information on how to protect themselves from fraud, but is only offering identity theft protection services to an undisclosed number of persons whose Social Security numbers may be compromised.
“If individuals detect any suspicious activity, they should notify the entity with which the account is maintained and promptly report any fraudulent activity to law enforcement and their state attorney general,” affected patients were told. “In addition, anyone looking for information on fraud prevention can review tips provided by the Federal Trade Commission.”
The number of affected individuals has not yet been posted by the Office for Civil Rights. Navicent Health declined a request to provide for additional information on how the breach was handled.