GMH under review for potential HIPAA breach - KUAM.com-KUAM News: On Air. Online. On Demand.
GMH under review for potential HIPAA breach
Friday, March 31st 2023, 2:11 PM ChST
By Matsuki Hirayama
Image
The unauthorized access into Guam Memorial Hospital's network is undergoing a detailed review for a possible Health Insurance Portability and Accountability Act or HIPAA breach.
The information came to light during the public hospital's monthly board meeting Wednesday.
GMH legal counsel Jeremiah Luther maintains that no patient or employee records were compromised, saying they got lucky.
"The investigation is ongoing," he said. "My hope right now, everything I have seen so far is indicating that we got very lucky in that the information was not accessed, acquired or manipulated or damaged or exploited."
Under the HIPAA breach notification rule, GMH has 60 days since the discovery of the "unauthorized access" to notify the individuals impacted or potentially impacted, along with notifying the Department of Health and Human Services, and the media.
"But we are well within our deadlines for compliance under federal law, and I assess right now that we are not under an obligation to notify the public or individuals," Luther said. "In fact, we would not know which individuals to notify even if we were to decide that was the correct procedure under local law."
He noted the hospital may end up having to give the public some answers in the form of a “generalized statement” similar to how Docomo Pacific did earlier this month after they experienced a system breach.
Friday, March 31st 2023, 2:11 PM ChST
By Matsuki Hirayama
Image
The unauthorized access into Guam Memorial Hospital's network is undergoing a detailed review for a possible Health Insurance Portability and Accountability Act or HIPAA breach.
The information came to light during the public hospital's monthly board meeting Wednesday.
GMH legal counsel Jeremiah Luther maintains that no patient or employee records were compromised, saying they got lucky.
"The investigation is ongoing," he said. "My hope right now, everything I have seen so far is indicating that we got very lucky in that the information was not accessed, acquired or manipulated or damaged or exploited."
Under the HIPAA breach notification rule, GMH has 60 days since the discovery of the "unauthorized access" to notify the individuals impacted or potentially impacted, along with notifying the Department of Health and Human Services, and the media.
"But we are well within our deadlines for compliance under federal law, and I assess right now that we are not under an obligation to notify the public or individuals," Luther said. "In fact, we would not know which individuals to notify even if we were to decide that was the correct procedure under local law."
He noted the hospital may end up having to give the public some answers in the form of a “generalized statement” similar to how Docomo Pacific did earlier this month after they experienced a system breach.
