The "smaller" breaches we don't see
I recently asked OCR if they have been receiving notifications of breaches affecting less than 500 individuals. Their answer is that they have been receiving such reports, but they will not be posting such reports on their web site. The reports “will be used to inform any reports to Congress on breaches.” As OCR reminded me:
For breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice annually. All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred.
Once again, then, we are left in the dark. Information is being collected, but we don’t how many such incidents are being reported, what the nature or type of breach was, what type(s) of information were involved.
I sent HHS/OCR a follow-up inquiry asking if they would consider revealing what kinds of information were involved in the breaches they do report on the site. Are any SSN or financial data involved? Should these breaches also be included in chronologies of sites such as ITRC and the Privacy Rights Clearinghouse that tabulate incidents that could lead to ID theft? Without additional information, there’s no way to know unless we can find a media report or notice on the entity’s web site — or unless some kind reader sends us a copy of the notification.
The OCR’s response to my inquiry about revealing types of information was that they have no plans to do so at this time.
While their recent attempt to strengthen protections is admirable, there is so much yet to be required — of data protectors and of our own government. We continue to need more transparency as well as more stringent security and privacy requirements.