DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS breach investigations badly backlogged, leaving us in the dark

Posted on February 5, 2013 by Dissent

To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this description from one of their entries:

“Theft, Unauthorized Access/Disclosure”,”Laptop, Computer, Network Server, Email”

So what happened there? What was stolen? Everything? And what types of patient information were involved?

Or how about this description:

“Unauthorized Access/Disclosure,Paper”

What happened there? Did a mailing expose SSN in the mailing labels or did an employee obtain and share patients’ information with others for a tax refund fraud scheme? Your guess is as good as mine. And HHS’s breach tool does not include any data type fields that might let us know whether patients’ SSN, Medicare numbers, diagnoses, or other information were involved.

If HHS followed up on these entries in a timely fashion with additional details, it would still be somewhat frustrating, but they don’t. HHS withholds crucial information about breaches that are “under investigation” and they are years behind in investigating incidents.

Yes, years.

If you look at the .csv form of the breach tool, you’ll see that when HHS closes an investigation, it enters a summary of the incident. But if you scroll down their database, you’ll note that some incidents from 2010 and many incidents from 2011 are presumably still open. And not one incident’s investigation from 2012 has been closed. Not one.

It is possible that some investigations that appear open are open because they have been referred to OCR for further action or may involve some enforcement action or pending resolution. But for most of the entries, it is not clear why the breach investigation has not been closed. And until it is closed, HHS will not tell us anything.

Because many entities still do not post notifications on their web sites and I cannot always find substitute notices in local media, the breach tool is often the only information we have about a breach involving more than 500 patients’ protected health information. HHS’s reluctance to discuss a case under investigation is understandable, but not if it takes them years to investigate and close a file. And with the new HITECH breach notification rules, there will likely be an increase in the number of breach notifications to HHS and even more breaches that they will have to investigate.

Something needs to change. Those of us who track and analyze breach trends need more transparency and information, not information that is delayed by more than two years.

I’m not sure who in HHS or Congress might give a damn, but feel free to pass these concerns along.

Update: Adam Shostack reacts to this post and offers some useful suggestions in  on his blog.

No related posts.

Category: Health Data

Post navigation

← In Online Patient Communities, How Much Sharing Is Too Much?
Boca Raton Regional Hospital employee charged in tax refund fraud scheme that used patients' information →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.