When you think about reporting a healthcare data breach to authorities, family-owned furniture manufacturers nestled in the serenity of North Carolina aren’t exactly at the top of the list.

But a recent incident provides an object lesson in just how far reporting obligations extend under the Health Insurance Portability and Accountability Act – or HIPAA’s – Breach Notification Rule.

Klaussner Furniture Industries, Inc., a 55-year old privately owned furniture manufacturer in Asheboro, North Carolina, reported a “[h]acking/IT incident” earlier this month, saying that the company learned that an “unauthorized third party gained access to two computers on its networks that contained certain personal information about a limited number of current or former employees, and some of their dependents.”

It was reported that the incident affected about 9,300 individuals. The information apparently exposed included names, addresses, Social Security numbers, financial account information, dates of birth, health information, and health benefit election information. The data stored on the computers related to employees in 1998, as well as from 2004-2019.

In a written statement, Klaussner said that, when the incident was discovered in February 2019, it took “immediate action” that included starting an internal investigation, retaining a forensics firm and notifying law enforcement. No other details about the breach were disclosed.

In general, the HIPAA Breach Notification Rule requires a HIPAA covered entity and their business associates to provide notice in the event of the breach of unsecured protected health information. There are, of course, similar rules implemented and enforced through the U.S. Federal Trade Commission for vendors of personal health records and their third-party providers under the HITECH Act.

Data breach notices are a matter of public record and listed by the U.S. Department of Health and Human Services Office of Civil Rights on an online portal, “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.”

The Klaussner incident underscores the difficulties for organizations in determining whether they have information that is subject to HIPAA. Even when organizations have outside plan administrators, not all protected healthcare information resides with the third-party administrator. In many instances, employers with self-insured health plans store and transmit information that is protected under HIPAA, even though the employers might not be considered covered entities, in some cases, reporting obligations under HIPAA might be triggered.

A prudent rule of thumb for many organizations that might retain protected healthcare information, especially if it sponsors a self-funded, self-insured benefit plan that funds healthcare benefits, is consideration of a program that limits access to any healthcare data kept in house – through administrative, technical or physical safeguards – to protect the healthcare information in compliance with HIPAA standards.