Many HHS investigations still open years later?
If you’re hoping that HHS will do anything about the recent Community Health Systems breach affecting 4.5 million patients across the country, don’t hold your breath.
Not only is the incident not even up yet on HHS’s public breach tool, where it will become the second largest breach since such public reporting went into effect in September 2009, but a review of other large breaches shows that apparently, not one of them has resulted in a closed or completed investigation.
Take a look at the four largest breaches currently listed in the breach tool:
Do you see all those empty fields for “Web Description?”
According to what a spokesperson for HHS had told me some time ago, when HHS closes an investigation, it then enters a summary of the incident that includes what steps the entity after the breach, etc.
The fact that these fields are all empty, then, suggests that there is either still an open investigation of these breaches or HHS never investigated – or that they just haven’t kept up with updating the breach tool. I’m inclined to think it’s the first of these alternatives.
Surely it would be more helpful for covered entities if OCR investigated promptly and closed cases or took action more promptly so that covered entities could learn what kinds of security failures result in penalties or action. Announcing a monetary penalty years after a breach is of deterrent value than a promptly issued and publicized one.