How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Delta-Lawyer Your Own Question
Delta-Lawyer, Attorney
Category: Legal
Satisfied Customers: 3546
Experience:  10 years practicing IP law and general litigation
Type Your Legal Question Here...
Delta-Lawyer is online now
A new question is answered every 9 seconds

I am conducting a breach risk assessment and would like some

Customer Question

I am conducting a breach risk assessment and would like some guidance. Pertinent details:
1) Successful phishing attack of employee led to a 30 minute unauthorized access to email and file store by perpetrator.
2) Forensics prove no action take by perpetrator in the data store (no files copied, downloaded, opened, etc.)
3) Forensics prove no synchronization of email or forwarding of email
4) Perpetrator could have 'seen' emails.
5) Mailbox contained 5200 emails - of which 34 contained PHI
6) PHI included only Pt. Name, Address, Date of Birth
7) Forensics indicate that the perpetrator used the 30 minutes to perpetuate their phishing campaign by sending 895 additional phishing emails to other persons.
In performing a LOPROCO we have concluded that given the above - there is a low probability that PHI was compromised. This conclusion is largely based on the evidence that the perpetrator had an opportunity to copy/download/synchronize both the data store (which contained immense amount of PHI) but did not do so. Therefore, we conclude it is highly unlikely that the perpetrator would have sifted through over 5000 emails to 'read' and or 'retain' the 34 items in question.
Given the information we have provided, do you believe we are in a position that warrants our conclusion? I can certainly provide more detail if warranted.
Submitted: 1 year ago.
Category: Legal
Expert:  Delta-Lawyer replied 1 year ago.

I hope this message finds you well, present circumstances excluded. I am a licensed attorney with over a dozen years of employment law experience, including development of policy relative to these issues. It is a pleasure to assist you today.

The standard in handling breaches like the one you are dealing with is one of reasonableness and due diligence. Basically, are the measures that you have taken reasonable in light of the breach and have you entertained all due diligence in determining the information accessed and potentially at risk.

Based on what you have shared with me, I believe that you have met that burden and should be secure in your position should there be a legal issue as to your efforts down the line. That said, I would certainly inform, in writing, the individuals of the 34 emails that contained PHI. The letter should roughly state what has happened and the information contained in the emails as it pertains to that individual. Since this information is not related to their social or their tax ID, they should feel pretty secure in the maintenance of their privacy. However, they need to maintain heightened observation of their credit score and other areas typically associated with identity theft. Your letter should also state that you are making efforts to assure this does not happen again, though these types of attacks are growing more complicated and frequent in all business areas.

You have done a great job here though and are to be commended.

Let me know if you have any other questions or concerns. Please also rate my answer positively (THREE OR MORE STARS) on the ratings bar on your end so I can receive credit for my response from the site.

Thank you and best wishes!

Customer: replied 1 year ago.
The question is whether my entity needs to report the breach and provide notice. While you indicate that I've "met the burden", you also suggest I provide notice. This is somewhat confusing to me. If you feel I've met the burden in determining that there is a "low probability of PHI being compromised", no notice or reporting is required. See 78 FR 5643 - 5645Are you advising that we provide notice to the patients, but not report this as a breach? Or are you saying that we've properly mitigated the situation, yet a notification and reporting of the event is still warranted. Our focus is on whether or not we have significant evidence to support a 'low probability of compromise".
Expert:  Delta-Lawyer replied 1 year ago.

I am sorry for the have met the burden of due diligence in your investigation of the breach. However, it is a good business practice to, at a minimum notify the affected or potentially affected employees of the breach in writing. The reason it should be in writing is that it then becomes repeatable in the event of litigation.

You need to provide notice to the patients and report the breach, out of an abundance of caution. There is no harm in reporting this and providing information to those that can be affected. The greater harm is not providing this information, from a litigation standpoint, because it makes you appear to be culpable.

Your investigation does appear to provide significant evidence to support low probability of compromise. That is undeniable, in my opinion based on what you have shared with me. So, there is very little legal exposure as to how you responded to the breach and investigated the breach. The other side of the coin in informing those potentially affected. That is the next step here and that is what should be done in view of your investigation.

Let me know if that helps or if there are other concerns. I apologize for the confusion.

Expert:  Delta-Lawyer replied 1 year ago.

Did you have any other questions or concerns?

Expert:  Delta-Lawyer replied 1 year ago.

Just checking to see if you have any other questions or concerns here. I want you to be as comfortable as possible as you move forward. Thanks