DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Still in the dark: A “500 marker” is updated, but too many still aren’t. Is HHS doing anything about this??

Posted on November 8, 2024 by Dissent

In March 2024, LockBit3.0 added Redwood Coast Regional Center  (RCRC) to its leak site. On May 3, RCRC notified HHS of the March 6 incident, reporting that 500 patients had been affected. RCRC only recently updated that report to indicate that 24,937 patients were affected. On or about November 5, they began mailing out letters to patients to alert them that the information involved may have included their names plus addresses, phone numbers, dates of birth, health insurance information, health insurance ID number, patient ID number, provider name, service date, diagnosis/treatment information, medical history information, prescription information, financial account information and/or Social Security numbers.

It seems that for eight months, almost 25,000 patients did not receive notification letters about an incident involving a lot of protected health information. But RCRC is not particularly unusual in terms of the gap in updating HHS and the gap in sending patients individual notification letters.

Earlier this year, Protenus’s 2024 Breach Barometer noted that there had been more than 50 reports to HHS during 2023 where entities used markers of 500 or 501 for the number of patients affected, but the reports had not been updated by the end of the year.  DataBreaches had asked HHS what it does in those cases, but received no reply, and HHS OCR has yet to reply to a freedom of information request asking for records concerning any policies or procedures they have when entities do not follow up and report the number of patients affected.  DataBreaches notes that this is not just an idle curiosity. How many patients each year had their PHI in a breach and never were notified by the responsible entity? How many of them might have experienced fraudulent use of their information but have no idea how it happened?

Numbers STILL Unknown

Protenus recently provided an update on the issue based on data available as of September 12, 2024. At the time of their publication, the Change Healthcare breach was still showing a “500” marker on HHS’s public breach tool. It would later be updated to 100 million. As Protenus noted:

For better or worse, many firms use HHS’s published breach tool to consider  trends in health data breaches. As Protenus has noted each year in its Breach  Barometer report, interpreting data from HHS’s breach tool is fraught with  ambiguity about what some categories mean or how to interpret some numbers, but one thing seems clear to us: if an entity is not reporting updated data following initial breach reporting, and if regulations do not require any further timely notification to patients and to the Secretary, patients may be left in the dark about how their healthcare providers protect – or have failed to protect – their privacy.

This morning, DataBreaches re-ran the search for incidents reported to HHS during 2023 that were still showing only 500 or 501 markers.  There were still 34 such reports, some going back to January 2023.  Of the 34 reports, two were coded as Unauthorized Access or Disclosure, and one was coded as Improper Disposal. The remaining 31 were all coded as Hacking/IT Incidents. Only one of them had a closing investigation note, meaning that the other cases were presumably still open and under investigation.

So some of the more than 50 reports Protenus had noted in its 2024 Breach Barometer report have been updated since then, but there are still almost three dozen incidents reported to HHS in 2023 for which we do not have updated notices and for which patients may not have been sent any notification letters.

DataBreaches also ran a search for incidents reported to HHS in 2024 that currently showed 500 or 501 markers. Protenus had reported that there were 49 such reports as of September 12 for this year. There are currently 54 such reports. One is coded as Theft, one is coded as Improper Disposal, and the remaining 52 are coded as Hacking/IT Incidents.

How many of these incidents involve data that has already been leaked on the dark web or clear net? How many patients might have nude photos of them exposed on the internet but have not found out yet?

Perhaps HHS should do a concerted campaign to get entities to report and update more timely. The fact that they did not even reply to an inquiry asking them what they do suggests that this has not been a priority for them at all.  It should be. Not only should HHS follow up and get entities to update their reports timely, but they should also take a look at whether the notification letters are disclosing when entities already know that data has been leaked on the internet.

Too much information continues to be withheld from patients affected by breaches. DataBreaches does not know whether the incoming administration will care or if it will dismantle or weaken HHS OCR, but DataBreaches will continue to care and continue to sound off and push for more transparency and accountability.

 

Related posts:

  • HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?
Category: Breach IncidentsCommentaries and AnalysesHealth Data

Post navigation

← In the midst of restructuring, Guardian Healthcare hit by ransomware attack
Remarks at a UN Security Council Briefing on Ransomware Attacks against Hospitals and Other Healthcare Facilities and Services →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.