Long-Term Care Services Firm Says Breach Affects 4.2 Million
‘Inaccessible Computers’ Incident Initially Reported as Affecting 501 People
… “Data breaches are time-consuming to investigate,” said Tom Walsh, president of privacy and security consulting firm twSecurity.
For example, if phishing or compromised email accounts are implicated in a cybersecurity incident, “all of the saved email messages from the mailboxes of each employee – or email user – need to be examined for protected health information or personal identifiable information content,” he said.
Depending on the size of an organization, how many email accounts were affected, the tenure of the employees whose email accounts were compromised, and whether the company has an email retention policy that includes purging old email, a review of whose PHI or PII was compromised might take many weeks or months, Walsh said.
“Once a list of names is generated, the list needs to be checked for duplicates to eliminate sending a patient multiple notices regarding the same breach,” he said. “The more patients that may have been affected by a data breach, the longer it takes to determine a list of names and contact information of those that were affected.”