If a covered entity detects a breach at the start of June 2021 but doesn’t notify patients until january 2022, will HHS think this is just fine? What if there was no encryption of data involved? Is it acceptable to take 7 months to notify patients if there are no unusual circumstances or request from law enforcement to justify delay? On january 6, Jefferson Surgical Clinic in virginia reported a transgress involving protected health info to the maine Attorney General’s Office. They also posted a copy of the patient notification letter on their website. From their letter: On June 5, 2021, Jefferson Surgical Clinic detected that it was the target of a cybersecurity attack. An unauthorized third party attempted to infiltrate Jefferson Surgical Clinics computer network. We immediately notified the FBI and launched an investigation and engaged a law firm specializing in cybersecurity and data privacy, and third-party forensic specialists to assist. That investigation has recently determined that information – including your name, date of birth, social security number, and health/treatment info – were potentially accessed by an unknown party that is not authorized to handle or view such information. The description of the event says nothing about data exfiltration. It says nothing about encryption or locking of files. It says naught about any ransom demand. can we conclude that none of those things happened? Why seven months from detection to notification? External advocate for JSC notified Maine that 174,769 people were being notified of the incident and were being offered citation monitoring services. It is not illuminate from the story whether all of those are patients or if some subset of them are employees or contractors. DataBreaches.net emailed the IT manager for JSC to ask about whether there was any encryption, exfiltration, or ransom demand, but no immediate reply was received. This carry will be updated if more details become available.