While the violation is clear, Ben Pick, senior application security consultant at nVisium told Threatpost penalties levied against the healthcare organization are likely to be light.

“The end result against the company may only be minor penalties, such as credit monitoring or similar services for those impacted,” Pick said.

Pick explained a lack of tough enforcement of healthcare security could be behind the decision Einstein’s delay in reporting.

“As for why Einstein Healthcare failed to notify its end users within a reasonable time period, that was likely a business decision to be further removed from the time of the incident. Without more serious penalties, there is not a strong incentive to report these breaches,” he said.

Read entire article here