HHS breach investigations badly backlogged, leaving us in the dark
To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this description from one of their entries:
“Theft, Unauthorized Access/Disclosure”,”Laptop, Computer, Network Server, Email”
So what happened there? What was stolen? Everything? And what types of patient information were involved?
Or how about this description:
What happened there? Did a mailing expose SSN in the mailing labels or did an employee obtain and share patients’ information with others for a tax refund fraud scheme? Your guess is as good as mine. And HHS’s breach tool does not include any data type fields that might let us know whether patients’ SSN, Medicare numbers, diagnoses, or other information were involved.
If HHS followed up on these entries in a timely fashion with additional details, it would still be somewhat frustrating, but they don’t. HHS withholds crucial information about breaches that are “under investigation” and they are years behind in investigating incidents.
If you look at the .csv form of the breach tool, you’ll see that when HHS closes an investigation, it enters a summary of the incident. But if you scroll down their database, you’ll note that some incidents from 2010 and many incidents from 2011 are presumably still open. And not one incident’s investigation from 2012 has been closed. Not one.
It is possible that some investigations that appear open are open because they have been referred to OCR for further action or may involve some enforcement action or pending resolution. But for most of the entries, it is not clear why the breach investigation has not been closed. And until it is closed, HHS will not tell us anything.
Because many entities still do not post notifications on their web sites and I cannot always find substitute notices in local media, the breach tool is often the only information we have about a breach involving more than 500 patients’ protected health information. HHS’s reluctance to discuss a case under investigation is understandable, but not if it takes them years to investigate and close a file. And with the new HITECH breach notification rules, there will likely be an increase in the number of breach notifications to HHS and even more breaches that they will have to investigate.
Something needs to change. Those of us who track and analyze breach trends need more transparency and information, not information that is delayed by more than two years.
I’m not sure who in HHS or Congress might give a damn, but feel free to pass these concerns along.
Update: Adam Shostack reacts to this post and offers some useful suggestions in on his blog.