According to IBM, it takes an average of 287 days for security teams to identify and contain a data breach. Apparently, the timeline for notification of customers potentially affected can be even longer.

Last week, Georgia-based CorrectHealth (CH), which provides healthcare to individuals inside correctional facilities, announced that it “recently” experienced a data security incident that may have resulted in an unauthorized access to some individuals’ sensitive personal information.

CH stated that it discovered an unauthorized user potentially had access to CH employee email accounts on November 10, 2021. Upon detection of this incident, CH states that it “promptly” engaged a specialized third-party forensic firm and conducted a forensic investigation to determine the nature and scope of the incident. The investigation, which concluded on January 28, 2022, found that some individuals’ information may have been affected by this incident. Was a data breach notification announced then? Nope.

First, CH states it “immediately” began a thorough review of their systems, and from March to July 2022, engaged a third party to analyze the specific files that were compromised during this data security incident in order to determine the specific information disclosed and to identify the potentially impacted individuals.

Was a data breach notification announced by the end of July? Nope – it still took almost another month (August 25, 2022) before CH announced the breach.

The timeline for notification of customers from November 10, 2021 detection to August 25, 2022 announcement was…289 days.

Could they have announced the data breach sooner? I don’t know. Regardless, the timeline for notification in this case illustrates just how long it takes for organizations to figure out what happened and report it.

According to what CH reported to the Maine Attorney General’s Office, it affected 54,066 individuals. CH also reported that “name, address, Social Security number, Driver’s License number, passport number, financial account information, and/or limited medical information” may have been subject to unauthorized access.

CH indicates in their announcement what they’re doing to address the data breach and avoid future breaches – including that they “implemented Multi-Factor Authentication for all administrative staff, began rolling out a Single Sign On solution for clinical staff, and effected weekly data security and monthly simulated phishing training for all employees”. They also stated that “we are also offering credit monitoring and identity theft protection services for all potentially affected individuals.”

It’s important to note that the IBM number referenced above is an average. Some breaches, like this one, take even longer. If you experienced a data breach on January 1st of this year, odds are you won’t have fully identified and contained it until October 14th. Ouch.

So, what do you think? Are you surprised that the timeline for notification for data breaches can be so long? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.