DataBreaches.Net

Why Did Change Health Lowball Its 1st Breach Report to Feds?

Posted on by Dissent

Marianne Kolbasuk McGee of HealthInfoSec  poses a question about why Change Healthcare’s report to HHS indicated that 500 patients were affected when they already admitted that there were millions. Why use such a low placeholder instead of a higher number when it has been months since they discovered the breach and they must have some partial numbers that are already significantly higher than 500?  McGee writes:

Some legal experts were surprised by Change Healthcare’s super low estimate in the breach report submitted to HHS OCR, especially considering the circumstances of the high-profile ransomware attack.

“This is unusual,” said regulatory attorney Sara Goldstein of the law firm BakerHostetler. “Typically the ‘500 or 501 individual placeholder’ is used when covered entities or business associates are providing notification within 60 days of discovery but have not identified the total number of individuals requiring notification,” she said. […] “UHG publicly stated that the incident involved information for ‘a substantial proportion of people in America. Based on these statements, one would have expected that the initial notice to HHS OCR would have included a much larger number,” Goldstein said.

Read more at BankInfoSecurity.

Unlike Goldstein, DataBreaches was not surprised at all to see the 500 placeholder, and has an answer to the question, “Why did Change Health lowball its 1st breach report to feds?”

The answer is that HHS OCR has never taken enforcement action against any entity for using a placeholder, even months after the entity first discovered a breach. As long as HHS doesn’t enforce and penalize, why should any entity not take advantage and use just a placeholder to delay announcing what might be staggering numbers?

As reported on Breaches.net, DataBreaches did not get any replies when this site emailed and called HHS OCR in January and February to ask how they follow up when an entity uses a 500 or 501 placeholder. Getting no answer at all, DataBreaches filed under FOIA in March. No substantive reply has been received as yet.