The Massachusetts-based medical group recently filed a notice of data breach with the Attorney General of Massachusetts.
What happened
SouthCoast Health Medical Group, LLC, which is part of the Privia Health national network, recently filed a notice of data breach on July 3rd, 2024.
According to their notice, SouthCoast became aware of a data breach on June 18th, 2023, over one year ago. The organization shared that once they spotted unauthorized activity in the network, they took “steps to secure [their] systems and investigate the nature and scope of the incident.” SouthCoast also partnered with a third-party forensic team to investigate the event.
Ultimately, the investigation determined that between June 15th and June 18th, 2023, an unauthorized actor gained access to SouthCoast’s network and viewed or copied files. After the discovery, the team reviewed and identified what sensitive information was impacted. They said the review was completed on June 13th, 2024.
Soon after, SouthCoast began sending notifications.
Going deeper
In response, SouthCoast is offering free credit monitoring and identity theft protection services.
While the information involved varies, it may include names, Social Security numbers, passport numbers, financial account information, mother’s maiden name, medical information, health insurance information, and electronic signatures.
Although SouthCoast confirmed that the attack was limited to its own network, some Privia Medical Group members may have had their information exposed.
What was said
An initial notice was posted to SouthCoast’s website on August 17th, 2023, but the notification did not provide significant details or share what data was involved. It was updated on July 3rd, 2024, to share the most recent details.
In the notice, SouthCoast stated they have “no indication of identity theft or fraud in relation to this incident.”
The organization says that upon discovery, they “immediately took steps to secure [their] systems and [perform] a full investigation.” They have also notified regulatory bodies.
The big picture
Cases like these show the lengthy process often involved in resolving data breaches. HIPAA requires organizations to notify patients of a data breach within 60 days of discovery, but in reality, the timeline is usually delayed.
Still, organizations need to respond to data incidents promptly. Delays in breach notifications are frequently becoming part of lawsuit allegations. Multiple law firms are investigating the incident at SouthCoast to see if it warrants a class action suit. As more information is revealed, such as how many individuals were impacted, we will likely see if a lawsuit takes shape.
While the breach took time to investigate, it did not cause operational delays. SouthCoast likely had an incident response plan in place to prevent a direct impact on patients.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
