ENFORCEMENT How does HHS follow up on reports that 500 were affected Breachesnet

pBreachesnetppTell the truth or someone will tell it for youppShould entities be able to write Your data may have been accessed when they know it was not only accessed but was acquired ppShould entities have to notify people that their data has been dumped on the dark web ppAn entity was threatened that their patients would be swatted if they didnt pay the criminals demands Should the patients have been notified of the threatppDataBreachesnet recently reported on three patient data breach disclosures that all exceeded the 60day notification deadline set by HIPAA for informing both the US Department of Health and Human Services HHS and the patients affectedppEntities frequently fail to really comply with the notification deadline but HHS OCR does not appear to have done much of anything to enforce it DataBreaches found one enforcement action in 2017 with a monetary penalty In that case HHS OCR imposed a 475000 monetary penalty and a corrective action plan on a covered entity that experienced a breach in 2013 but did not notify HHS and patients for more than 100 days  Other than that one case  DataBreaches has not found any other cases in which HHS OCR imposed any monetary penalty for failure to comply with notification timeliness What kind of message does that sendppAs a reminder here is the regulatory definition of discovery and the requirement for notification in no more than 60 daysppFrom Sec 13402 of HITECHppc Breaches Treated as DiscoveredFor purposes of this section a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate respectively including any person other than the individual committing the breach that is an employee officer or other agent of such entity or associate respectively or should reasonably have been known to such entity or associate or person to have occurredppd Timeliness of Notificationpp1 In GeneralSubject to subsection g all notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved or business associate involved in the case of a notification required under subsection bpp2 Burden of ProofThe covered entity involved or business associate involved in the case of a notification required under subsection b shall have the burden of demonstrating that all notifications were made as required under this part including evidence demonstrating the necessity of any delayppIn compiling data breach reports for Protenuss 2024 Breach Barometer report DataBreaches found more than 55 incidents reported to HHS in 2023 where entities reported that 500  or 501 patients were affected Using 500 or 501 for the number of patients affected enables entities to technically comply with the 60day deadline to notify HHS and patients and it has come to be interpreted as the entity reporting a breach but indicating that they do not yet know the total number of patients affected In that respect reports of 500 or 501 patients affected are markers  But what happens after thatppUnder such circumstances and recognizing that entities may discover more patients that need to be notified after they have already filed their disclosure HHSs general instructions inform entities that they are to submit an update to HHS for the incident report using the transaction identifier for the original report But how many entities really do update their reports For the 57 reports in 2023 that appeared to use markers only four updated their reports by the end of 2023ppAs part of its investigation DataBreaches also went back to the beginning of HHSs public breach tool and read HHSs closing statements on early incidents reporting 500 affected In many cases the closing statements merely noted that the entity had reported 500 patients affected and then went on to provide other details In no closing statement that DataBreaches reviewed did HHS ever seem to question the report of 500 or ask for proof that it was only 500ppDataBreaches does not know for a fact that all entities reporting 500 or 501 are merely using that as a marker Its possible of course that an incident did have 500 or 501 affected  But in cases of hacks or ransomware attacks its more likely that there are many more than 500 affected  For many ransomware incidents or hacking incidents there may be tens of thousands hundreds of thousands or even millions of patients affected  If we use the mean number of records per breach from a recent analysis and multiply that by 53 we would have almost ten million more records or patients affected than what currently appears on HHSs public breach tool for 2023ppThis is not just about the number of records though Each affected patient is supposed to be notified If Covered Entity ABC reports in January that 500 patients were affected in a ransomware incident how does HHS know whether Covered Entity ABC ever really identified all the patients who needed to be notified and notified them all  And if the entity did notify them when were they notified Was their personally identifiable information and protected health information floating around on the dark web freely available to everyone for six months before patients were alerted to the breach  Nine months  Longer Is this part of HHSs investigation into a breach reported to them And if the entity cannot provide a good reason for not notifying within 60 days from discovery should HHS OCR consider a monetary penalty and corrective action planppIn January of this year DataBreaches contacted HHS Media to inquire exactly what HHS does when an entity submits what might simply be a marker of 500ppDespite multiple email requests and two phone calls to HHS Media with detailed voicemail inquiries HHS Media never responded not even months later to acknowledge the inquiryppHaving had four polite inquiries totally ignored DataBreaches filed a Freedom of Information FOIA request with HHS seeking responsive records forppA redacted version of the FOIA request is available here pdf  No substantive response has been received as yetppThe table below reports the names of entities that reported 500 or 501 patients affected to HHS during calendar year 2023  In four of the 57 cases found the entity updated their numbers by the end of the year and their updated numbers were included in the Breach Barometer analyses  For the others DataBreaches found no updated listing in HHS by the end of the year even when the entity apparently provided updated numbers to the Maine Attorney Generals Office The table below has been updated to note when the entity did update their numbers but after the close of the 2023 year Data have been updated as of March 23 2024 If there is no update then the 500 or 501 still appear in HHSs public breach toolppEmail infobreachesnetppinfosecexchangepogowasrightppTelegram DissentDoeppSignal 1 5167767756pp ppPogoWasRightorg
DataBreachesnetppEmail infobreachesnet
Infosecexchangepogowasright
Telegram DissentDoe
Signal 1 516 776 7756pp PogoWasRightorg
DataBreachesnet
p