Louisiana Healthcare System Delayed Reporting Breach to HHS OCR
An October 2022 ransomware attack that affected IT systems at Louisiana’s Lake Charles Memorial Health System compromised sensitive data belonging to about 270,000 patients. The organization disclosed the incident in late October, but did not notify the US Department of health and Human Services Office for Civil Rights (HHS OCR) until December 22, and began sending patients notification letters on December 23.
In this case, the reporting requirement seems to be 60 days so Lake Charles is compliant, but waiting that amount of time to notify impacted customers is the issue. Reports say Lake Charles refused to pay the ransom demand, so allow some time for negotiations. But customers should have been notified faster. Lesson to learn is to have the breach response process in place and tested long before an event.
That is a long time for customer notification. While it's tempting to hold off making notifications until you're 100% certain, you need to put a cap of (at most) a couple of weeks to keep your customers comfortable. More transparency is expected. Make sure that you're able to provide information and updates as you move along, not holding back until you have absolutely every detail nailed down.
Many criticize mandatory reporting requirements introduced by regulations such as the EU General Data Protection Regulation (GDPR). However, delayed reporting can have serious impacts on the affected individuals such as exposing them to the risk of fraud.
While earlier might have been better, I tend to be forgiving of hard choices made by other professionals.