DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OCR's web site criticized for "bare bones" approach

Posted on March 1, 2010 by Dissent

Over on the Los Angeles Times, David Lazarus raises an issue that I raised here last week: the fact that some breaches on the Office of Civil Rights’ (OCR’s) list of breached covered health care entities shield the entity’s name and merely lists the entity as “Private Practice.” Referring to the breaches posted on OCR’s web site, David writes:

In the [five] Sept. 27 Torrance cases, for example, were the doctors in the same office? Were they in the same building? Did they share a single computer? Did they share office staff? Or was it just a fluke that five local doctors’ offices were hit by cyber-thieves on the same day? More to the point, were people’s Social Security numbers involved? What about billing information? The Health and Human Services database doesn’t include this information. Nor does it identify the doctors involved.

All good points. But the HITECH Act does not seem to require HHS to post all the data they receive about a breach (breached entities use the reporting form at http://transparency.cit.nih.gov/breach/index.cfm if you want to see what information HHS requires entities to provide). Ironically, perhaps, the transparency in the url doesn’t extend to sharing the information with the public openly. David obtained a statement from Georgina Verdugo, Director of the HHS Office for Civil Rights who reportedly said:

The main point of the law is not to put notices up on the website. It’s to trigger a regulatory investigation.

Oh really? I thought that the main point of the part of the law requiring HHS to post a list on its web site was to inform the public. HHS does not need a web site to investigate breach reports they get. We, the people, need the web site so that we can see whether those we may have entrusted with our protected health information have been worthy of that trust and to have information available to assist us in choosing our health care providers or insurers if the security and privacy of our health information is important to us. HITECH was supposed to give us greater protections, assurances that we will be notified of compromise of our unsecured protected health information, and greater transparency. Although OCR’s list may be better than having nothing, it really does not provide sufficient information. Because OCR is taking the position that it cannot reveal the private practitioner’s names without their consent, I will probably have to file under Freedom of Information and then appeal the ruling. Hopefully, some of the organizations who fight for transparency and access to public records will either join me or take over as they have more knowledge and resources to fight this than I do.

No related posts.

Category: Health Data

Post navigation

← Hacker broke into Bennett College office computer
Wiseguys indicted in $25 million CAPTCHA-bot scheme →

1 thought on “OCR's web site criticized for "bare bones" approach”

  1. Anonymous says:
    March 1, 2010 at 7:25 pm

    I don’t understand why the name of a private practitioner can’t be truncated and the details revealed. That doctor’s patients will be notified but we need to help see patterns. My other concern is that I know there are other breaches that should have been on that list. Are they hiding under the “risk of harm” clause? Companies deciding if risk of harm is a problem. It provides a shield. Only a federal law enforcement agency should have power to say there is no risk of harm. Companies must have some strange Crazy 8 balls they shake- Risk of harm: no way, undoubtable no, don’t ask-don’t tell. Unfortunately it is not a carnie game to those of us whose information may be exposed.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.