Texas-based healthcare services provider HMG Healthcare LLC is the latest company to be hacked as a data breach resulted in the theft of personally identifiable information and medical records.

Described as a “data security incident” by HMG Healthcare in a privacy update, the breach was detected in November, with a subsequent investigation finding that someone had first gained access in August.

The incident involved hackers gaining access to an HMG Healthcare server and stealing unencrypted files. The files on the server contained medical records and personal information, including names, dates of birth, contact information, general health information, information regarding medical treatment, Social Security numbers and employment records.

Typically, at this point, a company would then tick off a standard breach response list — hiring a third-party cybersecurity company, informing law enforcement and offering credit monitoring. But strangely, none of those is in the HMG Healthcare disclosure.

Instead, the healthcare provider provided scant details wrapped in emotive language, saying, “HMG quickly identified this breach and took steps to investigate the incident fully, mitigate any potential harm to you and/or your loved one, and protect against any further breaches.”

The claim that the breach was “quickly” identified denies the fact that it’s only disclosing it now. It was discovered in November and then found to have occurred in August. That’s not only not quick, given the legal requirements around breach disclosures, it’s possibly legally liable.

The HIPAA Breach Notification Rule 45 CFR §§ 164.400-414 requires Health Insurance Portability and Accountability Act-covered entities and their business associates to provide notification following a breach of unsecured protected health information without unreasonable delay and in no case later than 60 days following the discovery of the breach. Depending on when it discovered the breach in November, HMG Healthcare may have scraped under the 60-day requirement, but it’s arguable whether sitting on the news for nearly two months constitutes an unreasonable delay.

“It’s unfortunate to have records like this stolen and disheartening to see that sensitive information was stored in an unencrypted fashion,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “For anyone handling or storing sensitive information, especially those who deal with PHI, encryption should be standard and data access should be monitored and logged.

The fact that the event occurred in August and was discovered in November, yet potential victims are only now being warned, he added, leaves people to potential social engineering scams or identity theft. “Once this type of information is exposed, there is no way to reverse the issue,” he said.

Image: HMG Healthcare