You are the HIPAA privacy official of a hospital or health plan (a covered entity under HIPAA). You receive an email from a vendor that handles protected health information (a business associate), informing you that one month ago an unauthorized actor infiltrated its information systems. The intruder may have gained access to information about your organization. The vendor learned about the incident two weeks ago and immediately shut off that access, implemented patches to its systems to prevent further intrusion, and launched a forensic analysis to determine the customers and individuals affected by the incident and the nature of the information that was accessed. The vendor does not know how long that will take, but expects it will be months.
