From their report:
Summary
OCR received 609 notifications of breaches affecting 500 or more individuals, representing a decrease of 7% from the number of reports received in calendar year 2020. These reported breaches affected a total of approximately 37,182,558 individuals. The most commonly reported category of breaches was hacking, and the largest breach of this type involved approximately 3,253,822 individuals. OCR also received 63,571 reports of breaches affecting fewer than 500 individuals, with unauthorized access or disclosure reported as the most frequent type of breach reported. These smaller breaches affected a total of 319,215 individuals.
OCR initiated investigations into all 609 breaches affecting 500 or more individuals, as well as 22 breaches involving fewer than 500 individuals. OCR completed 554 breach investigations, through the provision of technical assistance; achieving voluntary compliance through corrective action; resolution agreements and corrective action plans; or after determining no violation occurred. Specifically, OCR resolved two breach investigations with resolution agreements, corrective action plans, and monetary payments totaling $5,125,000.2
Recommendations
There is a continued need for regulated entities to improve compliance with the HIPAA Rules. In particular, the Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, and access control were areas identified as needing improvement in 2021 OCR breach investigations.
As in previous years, hacking/IT incidents remained the largest category of breaches affecting 500 or more individuals occurring in 2021, and hacking/IT incidents also affected the most individuals, comprising 75% of the reported breaches. The largest category of breaches of 500 or more individuals by location was network servers. For breaches affecting fewer than 500 individuals, the largest category by type of breach report was unauthorized access or disclosures, and the largest category by location was paper records.
You can access the full report here.
Comment
They do not seem to offer an explanation for why 55 breach investigations were not completed. Were they not completed by the end of 2021 but completed in 2022, or are they still uncompleted?
HHS’s report notes that their analyses refer to the 609 breaches that occurred or ended in 2021. That number is different than the 714 breaches they report were submitted to them in 2021, some of which had occurred in 2020 or earlier but were first reported to HHS in 2021.
For the 714 reports they received between January 1 to December 31, 2021, DataBreaches found that they did not complete investigations for 270 reports. Why are 270 reports filed in 2021 still not completed by this point in 2023?
And as DataBreaches has noted numerous times, why have they not completed the investigation into a knowing cover-up of a hacking incident with extortion demand that was exposed publicly and then reported to them by DataBreaches in July 2018.
They were handed the police reports showing the entity knew they had been hacked and had received an extortion demand. The police reports showed the entity knew that the hacker was claiming to have sold some of the patient data already. And yet they kept quiet and only revealed the hack after DataBreaches contacted them and told them that this site would be publishing a story about the hack. And then they claimed they had only found out months earlier, when the police reports showed otherwise.
So why hasn’t HHS OCR taken them to court if need be to impose a stiff monetary penalty for the coverup and lies? This was a despicable response by a covered entity and it cannot be tolerated unless we want everyone else deciding to do the same thing.