As much as I try to find or obtain details on breaches in a timely fashion, it’s not always possible. For example, this month, there are several entities who reported breaches to HHS but have not responded to email and/or phone requests from this site for explanations of their incidents.
But now we finally have more details concerning an incident that appeared on HHS’s public breach tool in July. At the time, they had listed a breach reported by Cefalu Eye-Tech of Green, Inc. in Ohio that affected 850 patients. The breach had been coded as “Unauthorized Access/Disclosure” involving EMR. “Unauthorized Access/Disclosure” could mean so many things that it was hard to use the incident in monthly analyses of external vs. internal, etc.
But now HHS has added an update to that entry:
An employee of Cefalu Eye-Tech of Green, Inc. (Cefalu) photographed computer screens containing the protected health information (PHI) of approximately 850 individuals, including names, addresses, email addresses, and codes for diagnosis and conditions. Following the breach, Cefalu investigated the breach and provided breach notification to HHS and the affected individuals. OCR determined that the reporting entity is no longer a covered entity. OCR obtained documentation supporting its finding that Cefalu is no longer a covered entity
So it was an insider breach. Was Cefalu a covered entity at the time of this breach, or is it the case that OCR can do nothing if an entity that was a covered entity at the time of a breach is no longer a covered entity? Anyone know?