Congress Learns of Prescription Data Hack Months Later
Under HIPAA, business associates such as RXNT have 60 days from discovering a breach to notify affected covered entities. RXNT used the full window.
Lawmakers are only now learning that hackers breached a congressional medical contractor more than two months ago.
RXNT, a healthcare software company used by the Office of the Attending Physician (OAP) to manage prescription services for Congress, was breached on March 1 and March 3. Hackers obtained copies of patient data stored within the platform. The contractor notified the government on the final day allowed under federal health privacy law.
The compromised data includes names, birth dates, home addresses, prescription information, physician names, and pharmacy information. The OAP confirmed that broader medical records, Social Security numbers, insurance information, and financial data were not affected.
Under HIPAA, business associates such as RXNT have 60 days from discovering a breach to notify affected covered entities. RXNT used the full window, notifying the OAP on day 60. According to two people familiar with the matter, that delay may have set back the OAP’s own assessment of how many Capitol Hill patients were affected.
The data review itself took more than six weeks, from March 3 to April 17, before RXNT formally confirmed what had been taken. Client notifications did not go out until May 1, at which point affected organizations were given until May 15 to register and authorize RXNT to manage downstream reporting obligations, including filings with HHS’s Office for Civil Rights, state attorneys general, and affected individuals.
Attending physician Brian Monahan has been personally contacting affected lawmakers and staff. The OAP’s notice to affected patients offered this reassurance:
“The OAP only provides the minimum information required to process prescription services.”
The OAP’s notice explained that RXNT’s software is used to “securely transmit prescription information to pharmacies for fulfillment.”
Broader medical records, including detailed health histories, “remain secured within the walls of Congress” and are “not cloud based,” the notice stated
No attribution for the breach has been made public. It is not known whether the intrusion was carried out by a domestic or foreign actor, or where the data may ultimately end up.
The total number of affected individuals has not been disclosed. Under HIPAA’s Breach Notification Rule, covered entities have up to 60 days after being notified by their business associate to issue individual notifications, meaning the full scope of this breach may remain unknown for some time.
Donations tax deductible
to the full extent allowed by law.
Comments
Weak damage control statement. At least some, if not all, affected people’s conditions are going to be pretty clearly implied by their prescription history in many, many cases.
An additional thought! Based on the nature of the drugs and medical specialties of listed doctors, members of congress, staffers and family members may now be subject to outside pressure or blackmail, for fear of certain medical info being released. How about taking drugs for serious mental or emotional issues. How about drugs for sexually transmitted disease. Are you practicing safe sex or cheating on a spouse. Maybe it indicates addiction to opiates or other drugs. Will there be mass resignations or significal changes in political policy? Tremendous harm has probably occurred to our national security because members of congress have been compromised by a breach of personal data. How long had the breach occurred before discovery? Has it caused members to retire or not seek reelection? Data is power and control over others. It can’t be treated lightly as is typical for data breaches.. Financial records may be of keast concern depending on the individual.
How upset am I supposed to be over this? The company…complied with the law. If Congress doesn’t like it, they should have made a better law.
I don’t think you are….it’s just a very interesting development and hopefully wakes the nation’s grifters up to how vulnerable we are. We know that they are pretty good at serving their own best interests.
Bingo. It’s a treat to see the consequences of poor legislation finally devolve upon the people actually responsible for creating it.
What would be effective in concentrating the focus of entities both public and private who demand all sorts of PII and other sensitive data is applying sizable mandatory penalties stir for data breach. $50K to each individual impacted on 1st offense. $250K on 2nd offense. 3rd offense is $1 Million. They gotta post a bond sufficient to cover the potential fine. Alternatively make every individual with Executive authority and the Board of Directors personally liable if the entity can’t cough up the funds after liquidation of all assets to include their Spouse’s jewelry and their child’s college fund. Sentence them to Fed confinement in Nevada near the site of their work release job at the Bunny Ranch where they will be assigned to turn tricks to pay off the balance.
Rows and floes of angel hair
And ice cream castles in the air
And feather canyons everywhere
I’ve looked at clouds that way
But now they only block the sun
They rain and snow on everyone
So many things I would have done
But clouds got in my way
I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all
Company had 60 days and used it. If people don’t like it then change the law to 60 hours or something. If anyone is surprised that data breaches through hacks happen then they haven’t paid attention for the last number of years.
hippa laws once used to fool the easily fooled public so that the government could dictate what the plebs should know
ohh,, criminals in school …cant talk about they are minors….same anti good people agenda by the lefty
Business and government agencies have been hacked for decades, since they installed data based with outside connections or gave access to untrained and untrustworthy employees. If a company or government agency, at this stage of computer usage and security protocols, if they lose data, internally or externally, every person in that data base whose data was compromised, should receive a significant financial payout from that business or government entity! Maybe $100,000 or more. If you can’t secure the data you collect, you shouldn’t be allowed to hold that data. How come we seldom, if ever hear about data thieves being arrested and going to prison for significant time. Data theft or hacking is not a single offense. It is an individual crime against every person whose data was compromised. How about charges involving 1000 or 100,000 counts of data theft, fraud, money laundering etc. sentencing should be for life without parole and forfeiture of all assets. These crimes devastate thousands of lives. Punishment should be a deterrent, not a slap on the wrist. Data holders should be civilly liable for loss do to their negligence or inadequacy of security. Management should be held personally liable for data breach, I am still PO’d decades since, the State Department allowed an unnamed contractor to walk out with my personal info on floppy disks and info on others.??? How about years back when it was reported that China hacked the Office of Personnel Management (OPM) and stole background investigation records for those who national security background investigations for security clearances. Did OPM notify you? I learned about it in the media.. did anyone at OPM get fired or disciplined over that data breach? Not likely. My opinion is if you hold other people’s personal data in a computer system, and that system is breached, you become personally liable for the data loss for each individual’s records. Victims should not have to show a financial or other loss, just that the record was compromised.
How come we seldom, if ever hear about data thieves being arrested and going to prison for significant time.
Because the thieves are either overseas in actively diplomatically hostile locations, or worse are paid agents of actively hostile or belligerent foreign governments. While they can be indicted in abstencia, for most practical purposes, unless they’re going to set foot in the United States or INTERPOL is really interested in them, arresting them and bringing them to trial is simply not an available option.
As for payouts when information is compromised: Where is the economic harm? We don’t compensate people for “potential harm” because it is too nebulous an idea. You may have two equally situated individuals that suffer in the same data breach and one might incur $100K of damages from fraudulent use of their identity, while the other might suffer no injury at all. Should they both be paid $100K at the get-go? No. That makes no economic sense, because one will then have a net-zero economic impact, but the other will be unjustly enriched at the expense of the offending data-holder, leading to higher costs for no societal benefit.
Leave a Comment