DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OCR Investigator: Goal Is to Uncover ‘Root Cause,’ Remedy Harm From Violations

Posted on May 8, 2021 by Dissent

If you haven’t read it already, do read Theresa Defino’s excellent report from HCCA Compliance’s Report on Patient Privacy on JDSupra. It may be one of the most interesting — and most frustrating — reports I’ve read about OCR investigations.

Why did I find it frustrating, you might wonder?  Because of the lack of any actual body of enforcement actions on security rule violations.

So here’s an example of what they might consider a “high impact” case — drawn from my files, not their investigator’s comments in the report:

In July, 2018, this site investigated allegations that Holland Eye Surgery & Laser Center had knowingly covered up a hack and exfiltration of patient data that occured in June, 2016. The investigation uncovered evidence that  supported the allegations: police reports filed by the covered entity itself with the police in July, 2016 that indicated that they had been sent samples of patient data and an extortion demand. Yet in public notice, they claimed they had no idea until March, 2018.

This site filed a watchdog complaint with OCR over the entity’s failure to disclose the breach to patients or to OCR, especially since the threat actor had notified them that he was selling patient data on the dark web.

It was circa July, 2018 that the complaint with OCR was filed.

There has been no closure of the investigation yet.

Wouldn’t it behoove OCR to vigorously enforce the notification requirement when it has evidence of willful noncompliance?  Even if they decided to cut the covered entity some slack or accepted some “explanation” the covered entity may have offered them, this type of situation calls for enforcement/monetary penalty and not just a technical assistance letter.

This site has filed other complaints against other entities with OCR alleging violations of the security rule. In some cases, OCR has notified me that they have folded my complaint into the investigation they were already doing of the entity and that they will let me know when that is completed. In one case, they told me that they dropped a matter because the entity had dissolved their business.  But they actually could have pursued it even after closure — especially since if they checked, they would discovered that the business is still operating.

OCR definitely needs more subject-matter experts when it comes to evaluating some complaints under the security rule. But they also need to realize that until they take enforcement action and publicize it, entities will continue to take risks and not worry so much about compliance if they think all they are likely risking is a technical assistance letter.

Category: Commentaries and AnalysesHealth Data

Post navigation

← In Capital One Data Breach Litigation Federal Judge Grants Capital One’s Motion To Certify Question to Virginia Supreme Court
Three Affiliated Tribes Hit by Ransomware Attack, Holding Tribal Information Hostage →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.