In March 2024, LockBit3.0 added Redwood Coast Regional Center (RCRC) to its leak site. On May 3, RCRC notified HHS of the March 6 incident, reporting that 500 patients had been affected. RCRC only recently updated that report to indicate that 24,937 patients were affected. On or about November 5, they began mailing out letters to patients to alert them that the information involved may have included their names plus addresses, phone numbers, dates of birth, health insurance information, health insurance ID number, patient ID number, provider name, service date, diagnosis/treatment information, medical history information, prescription information, financial account information and/or Social Security numbers.
It seems that for eight months, almost 25,000 patients did not receive notification letters about an incident involving a lot of protected health information. But RCRC is not particularly unusual in terms of the gap in updating HHS and the gap in sending patients individual notification letters.
Earlier this year, Protenus’s 2024 Breach Barometer noted that there had been more than 50 reports to HHS during 2023 where entities used markers of 500 or 501 for the number of patients affected, but the reports had not been updated by the end of the year. DataBreaches had asked HHS what it does in those cases, but received no reply, and HHS OCR has yet to reply to a freedom of information request asking for records concerning any policies or procedures they have when entities do not follow up and report the number of patients affected. DataBreaches notes that this is not just an idle curiosity. How many patients each year had their PHI in a breach and never were notified by the responsible entity? How many of them might have experienced fraudulent use of their information but have no idea how it happened?
Numbers STILL Unknown
Protenus recently provided an update on the issue based on data available as of September 12, 2024. At the time of their publication, the Change Healthcare breach was still showing a “500” marker on HHS’s public breach tool. It would later be updated to 100 million. As Protenus noted:
For better or worse, many firms use HHS’s published breach tool to consider trends in health data breaches. As Protenus has noted each year in its Breach Barometer report, interpreting data from HHS’s breach tool is fraught with ambiguity about what some categories mean or how to interpret some numbers, but one thing seems clear to us: if an entity is not reporting updated data following initial breach reporting, and if regulations do not require any further timely notification to patients and to the Secretary, patients may be left in the dark about how their healthcare providers protect – or have failed to protect – their privacy.
This morning, DataBreaches re-ran the search for incidents reported to HHS during 2023 that were still showing only 500 or 501 markers. There were still 34 such reports, some going back to January 2023. Of the 34 reports, two were coded as Unauthorized Access or Disclosure, and one was coded as Improper Disposal. The remaining 31 were all coded as Hacking/IT Incidents. Only one of them had a closing investigation note, meaning that the other cases were presumably still open and under investigation.
So some of the more than 50 reports Protenus had noted in its 2024 Breach Barometer report have been updated since then, but there are still almost three dozen incidents reported to HHS in 2023 for which we do not have updated notices and for which patients may not have been sent any notification letters.
DataBreaches also ran a search for incidents reported to HHS in 2024 that currently showed 500 or 501 markers. Protenus had reported that there were 49 such reports as of September 12 for this year. There are currently 54 such reports. One is coded as Theft, one is coded as Improper Disposal, and the remaining 52 are coded as Hacking/IT Incidents.
How many of these incidents involve data that has already been leaked on the dark web or clear net? How many patients might have nude photos of them exposed on the internet but have not found out yet?
Perhaps HHS should do a concerted campaign to get entities to report and update more timely. The fact that they did not even reply to an inquiry asking them what they do suggests that this has not been a priority for them at all. It should be. Not only should HHS follow up and get entities to update their reports timely, but they should also take a look at whether the notification letters are disclosing when entities already know that data has been leaked on the internet.
Too much information continues to be withheld from patients affected by breaches. DataBreaches does not know whether the incoming administration will care or if it will dismantle or weaken HHS OCR, but DataBreaches will continue to care and continue to sound off and push for more transparency and accountability.