Maternal & Family Health Services (“MFHS”) in Pennsylvania has issued a press release about what they describe as a “sophisticated ransomware incident.” At this point, given so many ransomware attacks over the past few years, DataBreaches has no idea what would be considered “sophisticated.” In any event, MFHS began notifying potentially affected individuals, including certain current and former employees, patients, and vendors, on January 3, 2023. According to their press release, the ransomware incident occurred on April 4, 2022, but the attackers were in their system from August 21, 2021. The subsequent investigation revealed that personal information was accessed and that information included Security numbers, driver’s license numbers, financial account/payment card information, usernames and passwords, medical information and/or health insurance information. The notice does not state what MFHS is doing in response to prevent another incident like this. Nor does it identify what ransomware group was responsible and whether MFHS attempted to negotiate with them at all or actually paid them. If the ransomware attack was in April and data from the incident has not shown up on any of the usual dedicated leak sites by now, did MFHS pay? And why, when HIPAA requires notification no later than 60 days from discovery, did it take MFHS nine months to make notifications? Will HHS or the Commonwealth of Pennsylvania take any action for the late notification? A copy of MFHS’s substitute notice can be found on their website.