DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS breach tool: When "theft" doesn't mean what you think it means

Posted on September 11, 2014 by Dissent

In May 2011, I noted a breach that had appeared on HHS’s public breach tool involving Community Action Partnership of Natrona County, WY.

An update to that breach was added to the breach tool on September 3 that suggests that the original breach coding by the covered entity as “theft, desktop computer” could have misled some people into thinking that the data were on a stolen desktop. But read HHS’s summary of the incident and investigation:

Community Action partnership of Natrona County,WY,””,15000,02/23/2011,Theft,Desktop Computer,09/03/2014,

“The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCR’s compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures.”

Okay, so there was potential theft of information via virus – and not theft of a computer. Unfortunately, by the time HHS added the incident to their breach tool, the media notice that might have clarified things for us was no longer available.

But what does that confusion about “theft” suggest about all the analyses and commentaries that have been based on HHS’s breach tool and coding? Are analyses that talk about “theft” misleading or inaccurate because the coding system is misleading?

I have repeatedly stated that their coding system is unhelpful. Elsewhere today, I have posted a number of breaches for which we have inadequate information and where their coding system may leave us scratching our heads.

Once again, I would urge HHS to revise its coding system for describing breaches so that those of us who analyze breaches can trust that “theft” means “theft” and not “exfiltration,” and so that there are fields for inputting malware as being involved. They can use VERIS’s coding system or any other meaningful coding system. And ideally, they would include a brief narrative from the covered entity itself that would give us a better sense of what the entity was trying to report.

HHS’s failure to improve their system despite repeated criticisms as to its lack of helpfulness is seriously disappointing.

Category: Uncategorized

Post navigation

← Investigation closed: Diversified Resources, Inc.
Update on Cottage Health System breach →

4 thoughts on “HHS breach tool: When "theft" doesn't mean what you think it means”

  1. Anonymous says:
    September 12, 2014 at 3:03 pm

    The current system is a mess. One of the benefits of the tool, you would think would be the ability to manipulate the data to see trends. I am in the process of going through the last four years on the HHS breach tool, trying to identify incidents involving unencrypted USB drives, laptops and desktops. There is no consistency in the data. In addition, the dates are all over the place. If HHS wanted to help CEs to know where to concentrate their resources to mitigate the likelihood of a breach.

    1. Anonymous says:
      September 12, 2014 at 4:57 pm

      Can’t you assume that any device reported to HHS was unencrypted (at least by NIST standards for safe harbor)? But yeah, it’s all a mess and people who keep harping on “theft” may be missing the fact that in some of these cases, the “theft” is an insider breach. I wish they had an external/internal/unknown field – among other changes I’d recommend.

      1. Anonymous says:
        September 17, 2014 at 5:23 pm

        You are correct, it is understood the devices are unencrypted. What I should have stated was more detailed as to what the device was – USB, laptop, or desktop. “Theft” or “theft of device” is too vague.

        1. Anonymous says:
          September 17, 2014 at 5:53 pm

          That, too, yes.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.