New York-based non-profit Jewish Home Lifecare, Inc., operating as ‘The New Jewish Home’ experienced a data breach that exposed the sensitive personal and medical information of 104,234 individuals.
Although The New Jewish Home discovered the breach in January this year, they only began notifying affected individuals on August 16, 2024, violating HIPAA’s Breach Notification Rule.
What happened
On January 7, 2024, The New Jewish Home experienced an external system breach (hacking) that compromised individuals’ personal information, including their names, Social Security numbers, addresses, dates of birth, and other personal identifiers.
Despite the severity of the breach, The New Jewish Home did not notify the affected individuals until August 16, 2024, when they finished their investigation.
Furthermore, their initial report to the Department of Health and Human Services (HHS) on March 3, 2024, stated that only 501 individuals were affected, but the updated count now stands at 104,234.
What was said
The New Jewish Home public notice claims it “observed unusual activity on [their] network and took immediate action to investigate and contain the incident.”
According to their notice to affected Maine residents, the organization has “no evidence to suggest that any information has been or will be fraudulently misused.”
In the know
HIPAA requires covered entities to notify affected individuals “without unreasonable delay”, and within 60 days of discovering a breach involving protected health information (PHI).
Furthermore, HIPAA mandates that if a breach impacts 500 or more individuals, it must also be reported to the Department of Health and Human Services (HHS) and potentially to the media.
Go deeper: HIPAA breach deadlines healthcare organizations need to know
Why it matters
Exposing personal information puts individuals at risk of identity theft and financial fraud. So, covered entities must promptly inform affected individuals if their personal information has been compromised to minimize the potential damage.
The bottom line
While The New Jewish Home has notified affected individuals, the organization must improve its cybersecurity to prevent future breaches and safeguard patient trust.
Additionally, affected individuals should enroll in the complimentary credit monitoring and identity protection services offered.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
What are the penalties for violating HIPAA regulations?
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.
