DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OCR's web site criticized for "bare bones" approach

Posted on March 1, 2010 by Dissent

Over on the Los Angeles Times, David Lazarus raises an issue that I raised here last week: the fact that some breaches on the Office of Civil Rights’ (OCR’s) list of breached covered health care entities shield the entity’s name and merely lists the entity as “Private Practice.” Referring to the breaches posted on OCR’s web site, David writes:

In the [five] Sept. 27 Torrance cases, for example, were the doctors in the same office? Were they in the same building? Did they share a single computer? Did they share office staff? Or was it just a fluke that five local doctors’ offices were hit by cyber-thieves on the same day? More to the point, were people’s Social Security numbers involved? What about billing information? The Health and Human Services database doesn’t include this information. Nor does it identify the doctors involved.

All good points. But the HITECH Act does not seem to require HHS to post all the data they receive about a breach (breached entities use the reporting form at http://transparency.cit.nih.gov/breach/index.cfm if you want to see what information HHS requires entities to provide). Ironically, perhaps, the transparency in the url doesn’t extend to sharing the information with the public openly. David obtained a statement from Georgina Verdugo, Director of the HHS Office for Civil Rights who reportedly said:

The main point of the law is not to put notices up on the website. It’s to trigger a regulatory investigation.

Oh really? I thought that the main point of the part of the law requiring HHS to post a list on its web site was to inform the public. HHS does not need a web site to investigate breach reports they get. We, the people, need the web site so that we can see whether those we may have entrusted with our protected health information have been worthy of that trust and to have information available to assist us in choosing our health care providers or insurers if the security and privacy of our health information is important to us. HITECH was supposed to give us greater protections, assurances that we will be notified of compromise of our unsecured protected health information, and greater transparency. Although OCR’s list may be better than having nothing, it really does not provide sufficient information. Because OCR is taking the position that it cannot reveal the private practitioner’s names without their consent, I will probably have to file under Freedom of Information and then appeal the ruling. Hopefully, some of the organizations who fight for transparency and access to public records will either join me or take over as they have more knowledge and resources to fight this than I do.


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Texas Enacts Electronic Health Record Data Localization Law
Category: Health Data

Post navigation

← Hacker broke into Bennett College office computer
Wiseguys indicted in $25 million CAPTCHA-bot scheme →

1 thought on “OCR's web site criticized for "bare bones" approach”

  1. Anonymous says:
    March 1, 2010 at 7:25 pm

    I don’t understand why the name of a private practitioner can’t be truncated and the details revealed. That doctor’s patients will be notified but we need to help see patterns. My other concern is that I know there are other breaches that should have been on that list. Are they hiding under the “risk of harm” clause? Companies deciding if risk of harm is a problem. It provides a shield. Only a federal law enforcement agency should have power to say there is no risk of harm. Companies must have some strange Crazy 8 balls they shake- Risk of harm: no way, undoubtable no, don’t ask-don’t tell. Unfortunately it is not a carnie game to those of us whose information may be exposed.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.