A few weeks ago yet another California dentist submitted a notification letter to the California Attorney General as required. Unfortunately, this is another example of when doctors choose to DIY breach mitigation — and fail.
I see notification letters like this when doctors call their insurance company and they are advised to write a letter with direct contact information and to tell their patients to pay for their own credit monitoring.
This Dr. should expect pushback from patients and possibly lawsuits under Private Right of Action. Most California residents have had some kind of breach (Target, Home Depot etc.) and have received notification letters that are correct and offer credit monitoring services.
There is a particular way to report a breach and notify patients. This is not it. The biggest thing I have learned about HIPAA is that when doing breach mitigation, there are a lot of ways to do it wrong and those usually happen when people try to save money by doing mitigation themselves.