HHS breach tool: When "theft" doesn't mean what you think it means
In May 2011, I noted a breach that had appeared on HHS’s public breach tool involving Community Action Partnership of Natrona County, WY.
An update to that breach was added to the breach tool on September 3 that suggests that the original breach coding by the covered entity as “theft, desktop computer” could have misled some people into thinking that the data were on a stolen desktop. But read HHS’s summary of the incident and investigation:
Community Action partnership of Natrona County,WY,””,15000,02/23/2011,Theft,Desktop Computer,09/03/2014,
“The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCR’s compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures.”
Okay, so there was potential theft of information via virus – and not theft of a computer. Unfortunately, by the time HHS added the incident to their breach tool, the media notice that might have clarified things for us was no longer available.
But what does that confusion about “theft” suggest about all the analyses and commentaries that have been based on HHS’s breach tool and coding? Are analyses that talk about “theft” misleading or inaccurate because the coding system is misleading?
I have repeatedly stated that their coding system is unhelpful. Elsewhere today, I have posted a number of breaches for which we have inadequate information and where their coding system may leave us scratching our heads.
Once again, I would urge HHS to revise its coding system for describing breaches so that those of us who analyze breaches can trust that “theft” means “theft” and not “exfiltration,” and so that there are fields for inputting malware as being involved. They can use VERIS’s coding system or any other meaningful coding system. And ideally, they would include a brief narrative from the covered entity itself that would give us a better sense of what the entity was trying to report.
HHS’s failure to improve their system despite repeated criticisms as to its lack of helpfulness is seriously disappointing.