OCR wall-of-shame level data breach? Maybe not a good time to go cheap

The HIPAA Breach Notification Rule requires covered entities to notify the Office of Civil Rights (OCR) within 60 days of discovery for any data breach involving protected health information (PHI) of 500 individuals or more. The class action lawsuit filed against UnityPoint Health on May 4, 2018 demonstrates that sometimes it's not the incident itself, it's how a healthcare organization handles a breach that matters. At issue is the late notice to impacted patients and the OCR, as well as a cavalier approach to accurately identifying the nature and scope of the PHI disclosed. To pile on, the decision by UnityPoint to forgo offering individuals free credit monitoring is one of the those penny-wise and pound-foolish decisions that seems to have inspired an attorney to take up the case.