DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OCR Investigator: Goal Is to Uncover ‘Root Cause,’ Remedy Harm From Violations

Posted on May 8, 2021 by Dissent

If you haven’t read it already, do read Theresa Defino’s excellent report from HCCA Compliance’s Report on Patient Privacy on JDSupra. It may be one of the most interesting — and most frustrating — reports I’ve read about OCR investigations.

Why did I find it frustrating, you might wonder?  Because of the lack of any actual body of enforcement actions on security rule violations.

So here’s an example of what they might consider a “high impact” case — drawn from my files, not their investigator’s comments in the report:

In July, 2018, this site investigated allegations that Holland Eye Surgery & Laser Center had knowingly covered up a hack and exfiltration of patient data that occured in June, 2016. The investigation uncovered evidence that  supported the allegations: police reports filed by the covered entity itself with the police in July, 2016 that indicated that they had been sent samples of patient data and an extortion demand. Yet in public notice, they claimed they had no idea until March, 2018.

This site filed a watchdog complaint with OCR over the entity’s failure to disclose the breach to patients or to OCR, especially since the threat actor had notified them that he was selling patient data on the dark web.

It was circa July, 2018 that the complaint with OCR was filed.

There has been no closure of the investigation yet.

Wouldn’t it behoove OCR to vigorously enforce the notification requirement when it has evidence of willful noncompliance?  Even if they decided to cut the covered entity some slack or accepted some “explanation” the covered entity may have offered them, this type of situation calls for enforcement/monetary penalty and not just a technical assistance letter.

This site has filed other complaints against other entities with OCR alleging violations of the security rule. In some cases, OCR has notified me that they have folded my complaint into the investigation they were already doing of the entity and that they will let me know when that is completed. In one case, they told me that they dropped a matter because the entity had dissolved their business.  But they actually could have pursued it even after closure — especially since if they checked, they would discovered that the business is still operating.

OCR definitely needs more subject-matter experts when it comes to evaluating some complaints under the security rule. But they also need to realize that until they take enforcement action and publicize it, entities will continue to take risks and not worry so much about compliance if they think all they are likely risking is a technical assistance letter.

Related posts:

  • An OCR investigation illustrates the value of investigating small and medium-sized entities
  • HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation
  • HHS Office for Civil Rights Settles 9th Ransomware Investigation with Virtual Private Network Solutions
  • Was a recent OCR settlement fair? Maybe, but maybe not.
Category: Commentaries and AnalysesHealth Data

Post navigation

← In Capital One Data Breach Litigation Federal Judge Grants Capital One’s Motion To Certify Question to Virginia Supreme Court
Three Affiliated Tribes Hit by Ransomware Attack, Holding Tribal Information Hostage →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.