If you’re hoping that HHS will do anything about the recent Community Health Systems breach affecting 4.5 million patients across the country, don’t hold your breath.
Not only is the incident not even up yet on HHS’s public breach tool, where it will become the second largest breach since such public reporting went into effect in September 2009, but a review of other large breaches shows that apparently, not one of them has resulted in a closed or completed investigation.
Take a look at the four largest breaches currently listed in the breach tool:
Do you see all those empty fields for “Web Description?”
According to what a spokesperson for HHS had told me some time ago, when HHS closes an investigation, it then enters a summary of the incident that includes what steps the entity after the breach, etc.
The fact that these fields are all empty, then, suggests that there is either still an open investigation of these breaches or HHS never investigated – or that they just haven’t kept up with updating the breach tool. I’m inclined to think it’s the first of these alternatives.
Surely it would be more helpful for covered entities if OCR investigated promptly and closed cases or took action more promptly so that covered entities could learn what kinds of security failures result in penalties or action. Announcing a monetary penalty years after a breach is of deterrent value than a promptly issued and publicized one.
I wish they would update the breach I discovered and disclosed would have updated, accurate information.
I’ve seen them make corrections to entries at times (e.g., if I contact them to point out mistake), but if entity denies something, I doubt they’ll update until they complete investigation. HHS/OCR needs more resources and personnel to keep up with the tremendous number of breaches each year. So I continue to be critical, but do have some empathy for how hard their job is.
I don’t envy them, that is for sure. “Wheels of justice move slowly”. I guess they say that for a reason.