Blog

How Long is Too Long?

In a follow up to the recent story about a South Shore hospital whose records had gone missing via a third party vendor, the Patriot Ledger ran an update discussing the length of time it took the hospital to report the breach:

In a follow up to the recent story about a South Shore hospital whose records had gone missing via a third party vendor, the Patriot Ledger ran an update discussing the length of time it took the hospital to report the breach: The regulations do not give a specific notification period, only stating it must be done “as soon as practicable and without unreasonable delay.” Deborah Birnbach, a partner at law firm Goodwin Procter’s Boston office, said the four weeks that passed before the hospital announced the missing records could meet the intentions of the law. The hospital may have been researching the scope of the breach and how many people were affected, she said. It's interesting because it looks like this could be a bit of a loophole for companies that are impacted by 201 CMR 17.00. We'll continue to watch this situation as it unfolds...