DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS breach investigations badly backlogged, leaving us in the dark

Posted on February 5, 2013 by Dissent

To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this description from one of their entries:

“Theft, Unauthorized Access/Disclosure”,”Laptop, Computer, Network Server, Email”

So what happened there? What was stolen? Everything? And what types of patient information were involved?

Or how about this description:

“Unauthorized Access/Disclosure,Paper”

What happened there? Did a mailing expose SSN in the mailing labels or did an employee obtain and share patients’ information with others for a tax refund fraud scheme? Your guess is as good as mine. And HHS’s breach tool does not include any data type fields that might let us know whether patients’ SSN, Medicare numbers, diagnoses, or other information were involved.

If HHS followed up on these entries in a timely fashion with additional details, it would still be somewhat frustrating, but they don’t. HHS withholds crucial information about breaches that are “under investigation” and they are years behind in investigating incidents.

Yes, years.

If you look at the .csv form of the breach tool, you’ll see that when HHS closes an investigation, it enters a summary of the incident. But if you scroll down their database, you’ll note that some incidents from 2010 and many incidents from 2011 are presumably still open. And not one incident’s investigation from 2012 has been closed. Not one.

It is possible that some investigations that appear open are open because they have been referred to OCR for further action or may involve some enforcement action or pending resolution. But for most of the entries, it is not clear why the breach investigation has not been closed. And until it is closed, HHS will not tell us anything.

Because many entities still do not post notifications on their web sites and I cannot always find substitute notices in local media, the breach tool is often the only information we have about a breach involving more than 500 patients’ protected health information. HHS’s reluctance to discuss a case under investigation is understandable, but not if it takes them years to investigate and close a file. And with the new HITECH breach notification rules, there will likely be an increase in the number of breach notifications to HHS and even more breaches that they will have to investigate.

Something needs to change. Those of us who track and analyze breach trends need more transparency and information, not information that is delayed by more than two years.

I’m not sure who in HHS or Congress might give a damn, but feel free to pass these concerns along.

Update: Adam Shostack reacts to this post and offers some useful suggestions in  on his blog.

Related posts:

  • Calling time of death on HHS’s “breach tool”
Category: Health Data

Post navigation

← In Online Patient Communities, How Much Sharing Is Too Much?
Boca Raton Regional Hospital employee charged in tax refund fraud scheme that used patients' information →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.