DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Coming in "under the line:" when breaches affect less than 500 individuals

Posted on February 21, 2011 by Dissent

In a blog post, “500 Is a Magic Number:  Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR,” Colin J. Zick of Foley Hoag writes:

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, “[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals).”  That’s a mere 2% of all breaches that have OCR’s full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

Apart from the fact that I don’t like the fact that he’s right, Mr. Zick did not include subsequent statements that indicate that HHS is seeking additional resources so that it can investigate more breaches. What the fuller section of the fiscal budget request says is:

Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit. Based on OCR’s current HIPAA case load, almost all breach reports that impact less than 500 individuals are not investigated. Accordingly, OCR requires additional FTE and resources to ensure it is able to conduct investigations of potential small- and mid-sized breaches.

Even under its currently limited resources, though, entities would be foolish to hope that certain types of breaches will evade investigation. As a recent news story indicates, Rowan Regional Medical Center was investigated following a privacy complaint that involved one patient. Not only were they investigated, but the investigation was subsequently re-opened.

Does HHS need greater resources so that it can investigate more complaints? Undoubtedly.  In the interim, even if it is true that being under the 500 threshold reduces the likelihood of an investigation, covered entities should not count on that protecting them from investigation for issues such as employee snooping or improper handling or disposal of paper records containing PHI. Both of those appear to be  “hot-button” issues for HHS in the past few years.

h/t @MarieAndreeW


Related:

  • North Country Healthcare responds to Stormous's claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
Category: Health Data

Post navigation

← Technology would enhance 911 system
Privacy and Security in Health Care: A fresh look →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
  • RansomedVC is back — and is still attacking its competitors
  • Texas Enacts Electronic Health Record Data Localization Law
  • United Australia Party confirms ransomware attack, personal data and email correspondence exposed
  • Armenian National Extradited to the United States Faces Federal Charges for Ransomware Extortion Conspiracy
  • 70% of healthcare cyberattacks result in delayed patient care, report finds

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​
  • Fourth Circuit upholds West Virginia ban on abortion pills
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.