swidup
commented
3 years ago https://www.databreaches.net/without-undue-delay-friday-edition/
"The Jacobson Memorial Hospital & Care Center had a breach last year that they are first disclosing this week. Here’s the chronology, based on a statement from their external counsel:
July 28, 2020 — One employee’s email account is compromised and used to send out spam.
August 5, 2020 — Hospital manages to kick bad actor out of their system; hires forensics firm to investigate scope.
August 25, 2020 — Forensic investigation confirms single account was compromised. Hospital hires another vendor to search compromised account for PII/PHI.
September 27 — Search completed. Working with vendor, hospital commences manual review of emails.
December 31, 2020 — Results of manual review received.
February 23, 2021 — Notifications made to 1,545 patients.Given that chronology, the hospital may claim that notification was made within 60 days of discovery. But the reality is that it is more than 6 months since the breach was first recognized/discovered. "
https://www.beckershospitalreview.com/cybersecurity/north-dakota-hospital-informs-1-500-patients-of-data-breach.html