Repeat after me: "Date of discovery" does NOT mean the date you completed any investigation. It is the date on which you first knew or reasonably should have known that you had a breach of unsecured PHI.
It is not a huge breach as breaches go, but Sightpath Medical's breach notification raises a lot of questions about compliance with HIPAA's Breach Notification Rule. I hope #HHSOCR investigates this one.