RXNT delayed breach notification 60 days

RXNT, a healthcare software vendor used by Congress’ Office of the Attending Physician, disclosed a data breach to affected healthcare organizations on May 1 after unauthorized access between March 1 and March 3, according to breach notices reviewed by trade and political news outlets. POLITICO reported on May 13 that lawmakers and staff were informed that week their prescription information may have been compromised through the vendor’s system. HHS rules require breach notification after exposure of unsecured protected health information, but they also give business associates a window that can delay when downstream organizations learn what happened. In this case, the timeline put Congress on notice more than two months after the intrusion. ### How did this reach Congress months after the breach? March 1 and March 3 are the dates POLITICO said intrusions hit RXNT, the software provider used by the Office of the Attending Physician to transmit prescription information to pharmacies. The Office of the Attending Physician then informed affected members and staff during the week of May 11, according to letters reviewed by POLITICO. (politico.com) May 1 is the date on RXNT’s notification letters to customer organizations, according to HIPAA Journal, which said the company had reviewed affected data between March 3 and April 17 before sending notices. That sequence left a gap of nearly two months between the intrusion window and notice to customer organizations. ### What does HIPAA actually require a vendor like RXNT to do? 45 C.F.R. 164.410 says a business associate must notify the covered entity of a breach of unsecured protected health information after discovery of the breach. (politico.com) The regulation says that notice must be made “without unreasonable delay” and no later than 60 calendar days after discovery. HHS says the HIPAA Breach Notification Rule applies to both covered entities and business associates after a breach of unsecured protected health information. (hipaajournal.com) The rule does not require public disclosure the moment a vendor detects suspicious activity; it sets an outer deadline and leaves room for investigation before notice goes out. ### What data was taken, and what was not? POLITICO reported that the data accessed in the RXNT breach included names, dates of birth, addresses, prescription information, doctor information and pharmacy information. (ecfr.gov) The same report said financial data, insurance information and Social Security numbers were not compromised, and that patient records kept inside Congress’ own systems were not part of the cloud-based RXNT environment. (hhs.gov) HIPAA Journal reported that RXNT told customers an unauthorized actor obtained a copy of stored data and that the company’s review confirmed theft of patient names, dates of birth and demographic information including addresses, contact information and patient IDs. The difference in detail likely reflects the fact that covered entities receive organization-specific information about their own affected patients. ### Why does the 60-day clock matter so much to customers? (politico.com) The Office of the Attending Physician told affected patients that it provides “the minimum information required” to process prescription services, according to POLITICO. That detail shows one way healthcare organizations try to limit exposure when they rely on outside vendors to handle a narrow function such as e-prescribing. (hipaajournal.com) The regulation itself requires the business associate to identify affected individuals and provide the covered entity with other available information needed for patient notice, either at the time of notification or promptly afterward. Until that happens, the covered entity may know little about scope, patient count or reporting obligations. ### What happens next for organizations caught in the breach? (politico.com) May 15 was the deadline for affected providers to register on RXNT’s dedicated notification site to receive more information, according to HIPAA Journal and the site’s login page. RXNT offered to handle breach reporting tasks for clients, including notices to the HHS Office for Civil Rights, media notices, individual notifications and reports to state attorneys general. (ecfr.gov) The HHS breach rule requires covered entities to notify affected individuals, and in some cases the media and the HHS secretary, after a reportable breach. Further disclosures are likely to appear through patient notices, regulator filings and any updates from Congress’ Office of the Attending Physician or RXNT. (hhs.gov) (hipaajournal.com)