60 Days to Tell You. 60 Minutes to Sell Your Data.

MedStar Health mailed breach notification letters on December 3, 2025. That was the 60th day after they discovered the breach. Under federal law, it was the last permissible day to act. They used it.

By the time some patients received those letters, it was April 2026. The breach had happened in September. Data breach notification laws allowed every day of that gap.

This is how that works, and why it's a problem.

---

#How the Clock Works

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals "without unreasonable delay" and no later than 60 calendar days after discovery of a breach. Not after the breach itself. After discovery.

That distinction matters. In MedStar's case:

• September 12-16: Attackers accessed MedStar systems
• October 4: MedStar discovered the breach
• November 12: Investigation confirmed which patient data was involved
• December 3: Notification letters began mailing (day 60)

The investigation was complete on November 12. MedStar had a confirmed list of affected patients and knew exactly what data was exposed. MedStar's own timeline proves the point: their investigation was complete in 39 days. The remaining 21 days served the legal window, not the investigation.

That isn't an accusation. It's how the rule works. The 60-day window is the compliance target, not a worst-case ceiling. Organizations schedule notification mailings around it the same way they schedule any other compliance deadlines.

---

#Why Organizations Wait

The standard justification for the 60-day window is that organizations need time to conduct a thorough forensic investigation before notifying patients. Premature notification with incomplete information, the argument goes, could cause unnecessary alarm and be inaccurate.

That argument has merit in the first few weeks. Forensic investigations after a ransomware attack are genuinely complex. Determining exactly which files were accessed, which individuals are affected, and what data classes were involved takes time.

It doesn't take 60 days.

The average ransomware breach notification in healthcare takes 3.7 months, already exceeding the 60-day limit in most cases. The law's flexibility has become the default operating mode, not a safety valve for genuinely complex situations.

There is also a structural incentive problem. Because the clock starts at discovery, organizations have reason to be deliberate about when they formally declare a breach "discovered." An internal security team flagging suspicious activity isn't the same as an official discovery determination. That ambiguity creates room.

The healthcare industry has pushed back hard against proposals to improve this. In December 2025, a coalition of more than 100 hospital systems and provider organizations, led by CHIME, petitioned HHS Secretary Robert F. Kennedy Jr. to rescind proposed HIPAA Security Rule updates, citing an estimated $9 billion in first-year compliance costs. Faster notification timelines face the same resistance. The cost objection is real. It should be weighed against the cost to patients of a 60-day head start for attackers.

---

#What the Letter Is Actually For

HIPAA specifies exactly what a breach notification letter must contain:

• A brief description of what happened
• The types of information involved
• Steps individuals should take to protect themselves
• What the organization is doing to investigate and mitigate
• Contact information

That list tells you what the letter is designed to do: satisfy a regulatory requirement. It is not designed to fully inform you.

Notice what's absent. There is no requirement to disclose who the attacker was. No requirement to state whether the data was sold or auctioned. No requirement to describe the security failures that enabled the breach. No requirement to confirm whether law enforcement has been engaged or whether the ransom was paid.

Many breach letters also include language stating the notification "does not constitute an admission of liability or wrongdoing." That sentence isn't there to help you. It's there because lawyers wrote the letter and lawyers think about liability.

The "What We Are Doing" section, present in virtually every breach letter, is written for regulators, not patients. It documents the organization's response posture in language that will be reviewed if HHS investigates. When MedStar's letter said they "worked with third-party forensic experts" and "notified law enforcement," that was accurate. It was also the section least useful to the person holding the letter.

Breach letters have two audiences: the patient who receives them, and the regulators who may later audit them. The law optimizes for the second audience.

---

#The States Are Moving Faster

The federal 60-day rule is a floor, not a ceiling. States can, and increasingly do, set stricter requirements.

New York now requires breach notification within 30 days of discovery, with a separate 10-day notice to state agencies including the Attorney General, Department of State, and Division of State Police. California's SB 446 requires disclosure within 30 days. Florida requires consumer notification within 30 days. Texas requires attorney general notification within 30 days for breaches affecting 250 or more residents, though the consumer notification window remains 60 days. Puerto Rico requires notification to the Department of Consumer Affairs within 10 days, with consumer notice to follow as expeditiously as possible.

The trend is clear: 30 days is becoming the new state-level norm. The federal standard hasn't moved.

For healthcare organizations operating nationally, this creates a patchwork. A breach affecting patients in New York and Maryland in the same incident may trigger different timelines depending on where each patient lives. MedStar operates across the Baltimore-Washington corridor, covering Maryland, DC, and Virginia, each with its own requirements layered on top of HIPAA.

When California, New York, and Florida all independently set 30-day consumer notification requirements, and even Texas moves to tighten government reporting timelines, the federal standard is overdue for revision.

---

#The Head Start Problem

On October 4, 2025, the same day MedStar determined they had a breach, the threat actors who used Rhysida ransomware listed the full exfiltrated dataset for auction on their dark web site. The asking price was 25 bitcoin, roughly $3 million at the time. That listing was public.

MedStar patients were not notified for another 60 days.

This is the head start problem. Attackers operate in hours. Financial gain drives the vast majority of cybercrime, and stolen PHI is a commodity with buyers ready to move immediately. By the time breach notification laws require anyone to tell you your data was exposed, the data has already been on the market for months.

Credit freezes, IRS IP PINs, and fraud flags with your insurer are all reactive tools. They work. But they work better the sooner you deploy them. A 60-day notification window followed by postal delivery means most breach victims are the last people to know their data is circulating.

---

#What Would Actually Help

The current framework isn't broken. It's optimized for the wrong thing. It minimizes liability for organizations and gives regulators an auditable paper trail. It does not minimize harm to patients.

Three changes would meaningfully improve outcomes:

1. Shorten the federal window to 30 days. States have already demonstrated this is operationally achievable. A 30-day federal floor would bring the US in line with where state law is already heading and eliminate the incentive to stretch investigations to fill available time.

2. Require electronic notification where contact information exists. Mailing letters to last known addresses is a 1996 solution. MedStar operates a patient portal with active user accounts. The infrastructure for electronic notification exists. The law just doesn't require using it. Electronic notification should be the primary channel, with mail as the fallback. (For what it's worth, the same organizations that send billing statements electronically within 24 hours of a visit already have this capability. They know how to reach you when money is involved.)

3. Require disclosure of data disposition. If the threat actor auctioned or sold the data, patients deserve to know. "Your data was listed for public auction at 25 bitcoin before we notified you" changes the urgency calculus for every person reading the letter. The current framework allows organizations to omit this entirely.

None of these changes require dismantling HIPAA. They require updating a breach notification timeline that hasn't changed since the HITECH Act established it in 2009.

In the meantime: the HHS breach portal maintains a public list of every reported breach affecting 500 or more individuals. Most people don't know it exists. If you want to check whether other organizations holding your data have already filed, it's there.

---

If you received a MedStar breach letter, or any breach letter, and haven't taken the remediation steps yet, start with the runbook in my previous post. The system gave attackers a head start. The steps there help close the gap.