Charles Ornstein of Pro Publica talked with Jocelyn Samuels, director of OCR. You can read his interview on ProPublica.org. Pretty much everything they touched on has been discussed numerous times on PHIprivacy.net, so you may not find anything new in the interview if you were a regular reader of PHIprivacy.net, but I suppose it’s still reassuring to hear the director of OCR say that patient privacy isn’t dead.
That said, if you look at HHS’s public breach tool, and look at how many breach investigations are still not concluded, years later, it should continue to concern us.
Both HHS and FTC have resources that are insufficient to really keep up in a timely fashion with data security enforcement. And all too often, the public doesn’t find out about corrective action plans OCR obtained from covered entities unless the plan is attached to a press release announcing the rare monetary penalty. The information is out there if you know where to look, but again, it may take years before we get more information. I am not criticizing staff at HHS and OCR who work diligently. But let’s face it, they need a lot more resources to do their job in a timely fashion.
In some cases, the delay may leave patients at continued risk of ID theft or medical identity theft. Consider, as one example, the breach involving Lanap & Dental Implants of Pennsylvania that was first reported by WNEP in Pennsylvania in December 2013, and reported on PHIprivacy.net. That breach occurred in 2010, and only some of the patients were notified in 2012. Those who were notified were not even told that their information, including Social Security numbers, were available for download on multiple torrent sites. To this day, patients who may never have been informed of the breach would be – and are – still at risk because their information is still freely available online. In January 2014, this blogger filed complaints with both HHS and the FTC over the breach in terms of compliance with the Security Rule, notification requirements under HITECH, and unfair and deceptive practices under Section 5 of the FTC Act.
What did either agency do with that complaint? We have no idea because investigations are not public. The only thing we do know is that in 2014, HHS revised its entry for the incident on its public breach tool. But as there is no summary for the investigation, we must presume the investigation is still open. So five years after patient data was uploaded to torrent sites, are there patients who still don’t know that their personal information is freely available to criminals? Maybe OCR knows, but we don’t know the answer to that.
Pro Publica is also looking for patients who have had their privacy violated to share their story. Patients and consumers have always been welcome to share their reactions and experiences on this site and PHIprivacy.net, but if you’d like to reach a wider national audience, do consider contacting them, too.