HHS breach tool: When "theft" doesn't mean what you think it means

In May 2011, I noted a breach that had appeared on HHS’s public breach tool involving Community Action Partnership of Natrona County, WY.

An update to that breach was added to the breach tool on September 3 that suggests that the original breach coding by the covered entity as “theft, desktop computer” could have misled some people into thinking that the data were on a stolen desktop. But read HHS’s summary of the incident and investigation:

Community Action partnership of Natrona County,WY,””,15000,02/23/2011,Theft,Desktop Computer,09/03/2014,

“The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCR’s compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures.”

Okay, so there was potential theft of information via virus – and not theft of a computer. Unfortunately, by the time HHS added the incident to their breach tool, the media notice that might have clarified things for us was no longer available.

But what does that confusion about “theft” suggest about all the analyses and commentaries that have been based on HHS’s breach tool and coding? Are analyses that talk about “theft” misleading or inaccurate because the coding system is misleading?

I have repeatedly stated that their coding system is unhelpful. Elsewhere today, I have posted a number of breaches for which we have inadequate information and where their coding system may leave us scratching our heads.

Once again, I would urge HHS to revise its coding system for describing breaches so that those of us who analyze breaches can trust that “theft” means “theft” and not “exfiltration,” and so that there are fields for inputting malware as being involved. They can use VERIS’s coding system or any other meaningful coding system. And ideally, they would include a brief narrative from the covered entity itself that would give us a better sense of what the entity was trying to report.

HHS’s failure to improve their system despite repeated criticisms as to its lack of helpfulness is seriously disappointing.

About the author: Dissent

4 comments to “HHS breach tool: When "theft" doesn't mean what you think it means”

You can leave a reply or Trackback this post.
  1. Anonymous - September 12, 2014

    The current system is a mess. One of the benefits of the tool, you would think would be the ability to manipulate the data to see trends. I am in the process of going through the last four years on the HHS breach tool, trying to identify incidents involving unencrypted USB drives, laptops and desktops. There is no consistency in the data. In addition, the dates are all over the place. If HHS wanted to help CEs to know where to concentrate their resources to mitigate the likelihood of a breach.

    • Anonymous - September 12, 2014

      Can’t you assume that any device reported to HHS was unencrypted (at least by NIST standards for safe harbor)? But yeah, it’s all a mess and people who keep harping on “theft” may be missing the fact that in some of these cases, the “theft” is an insider breach. I wish they had an external/internal/unknown field – among other changes I’d recommend.

      • Anonymous - September 17, 2014

        You are correct, it is understood the devices are unencrypted. What I should have stated was more detailed as to what the device was – USB, laptop, or desktop. “Theft” or “theft of device” is too vague.

        • Anonymous - September 17, 2014

          That, too, yes.

Comments are closed.