DataBreaches.net recently reported on three patient data breach disclosures that all exceeded the 60-day notification deadline set by HIPAA for informing both the U.S. Department of Health and Human Services (HHS) and the patients affected.
Entities frequently fail to really comply with the notification deadline, but HHS OCR does not appear to have done much of anything to enforce it. DataBreaches found one enforcement action in 2017 with a monetary penalty. In that case, HHS OCR imposed a $475,000 monetary penalty and a corrective action plan on a covered entity that experienced a breach in 2013 but did not notify HHS and patients for more than 100 days. Other than that one case, DataBreaches has not found any other cases in which HHS OCR imposed any monetary penalty for failure to comply with notification timeliness. What kind of message does that send?
As a reminder, here is the regulatory definition of “discovery” and the requirement for notification in no more than 60 days:
From Sec. 13402 of HITECH:
(c) Breaches Treated as Discovered.—For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred.
(d) Timeliness of Notification.—
(1) In General.—Subject to subsection (g), all notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).
(2) Burden of Proof.—The covered entity involved (or business associate involved in the case of a notification required under subsection (b)), shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay.
In compiling data breach reports for Protenus’s 2024 Breach Barometer report, DataBreaches found more than 55 incidents reported to HHS in 2023 where entities reported that “500” or “501” patients were affected. Using 500 or 501 for the number of patients affected enables entities to technically comply with the 60-day deadline to notify HHS and patients and it has come to be interpreted as the entity reporting a breach but indicating that they do not yet know the total number of patients affected. In that respect, reports of 500 or 501 patients affected are markers. But what happens after that?
Under such circumstances, and recognizing that entities may discover more patients that need to be notified after they have already filed their disclosure, HHS’s general instructions inform entities that they are to submit an update to HHS for the incident report using the transaction identifier for the original report. But how many entities really do update their reports? For the 57 reports in 2023 that appeared to use markers, only four updated their reports by the end of 2023.
As part of its investigation, DataBreaches also went back to the beginning of HHS’s public breach tool and read HHS’s closing statements on early incidents reporting 500 affected. In many cases, the closing statements merely noted that the entity had reported 500 patients affected and then went on to provide other details. In no closing statement that DataBreaches reviewed did HHS ever seem to question the report of 500 or ask for proof that it was only 500.
DataBreaches does not know for a fact that all entities reporting 500 or 501 are merely using that as a marker. It’s possible, of course, that an incident did have 500 or 501 affected. But in cases of hacks or ransomware attacks, it’s more likely that there are many more than 500 affected. For many ransomware incidents or hacking incidents, there may be tens of thousands, hundreds of thousands, or even millions of patients affected. If we use the mean number of records per breach from a recent analysis and multiply that by 53, we would have almost ten million more records or patients affected than what currently appears on HHS’s public breach tool for 2023.
This is not just about the number of records, though. Each affected patient is supposed to be notified. If Covered Entity ABC reports in January that “500” patients were affected in a ransomware incident, how does HHS know whether Covered Entity ABC ever really identified all the patients who needed to be notified and notified them all? And if the entity did notify them, when were they notified? Was their personally identifiable information and protected health information floating around on the dark web, freely available to everyone for six months before patients were alerted to the breach? Nine months? Longer? Is this part of HHS’s investigation into a breach reported to them? And if the entity cannot provide a good reason for not notifying within 60 days from discovery, should HHS OCR consider a monetary penalty and corrective action plan?
How is HHS investigating incidents with “500” or “501” markers? Or isn’t it investigating the number reported at all?
In January of this year, DataBreaches contacted HHS Media to inquire exactly what HHS does when an entity submits what might simply be a “marker” of 500.
Despite multiple email requests and two phone calls to HHS Media with detailed voicemail inquiries, HHS Media never responded, not even months later to acknowledge the inquiry.
Having had four polite inquiries totally ignored, DataBreaches filed a Freedom of Information (FOIA) request with HHS seeking responsive records for:
- Any documents, policy statements, records, discussions, or correspondence pertaining to HHS OCR’s procedures or protocols for following up on breach reports initially filed with “500” or “501” patients affected, where the actual number is likely to exceed the reported figure.
- Any documents, policy statements, records, or materials outlining whether HHS ever suspects reported figures to be inaccurately low, and if so, the measures or actions it undertakes or plans to undertake to address such discrepancies.
- Any documents, policy statements, records, or materials documenting instances where HHS OCR initiated enforcement actions or resolution agreements due to the failure of entities to update reported figures as required.
A redacted version of the FOIA request is available here (.pdf). No substantive response has been received as yet.
Data from 2023
The table below reports the names of entities that reported 500 or 501 patients affected to HHS during calendar year 2023. In four of the 57 cases found, the entity updated their numbers by the end of the year and their updated numbers were included in the Breach Barometer analyses. For the others, DataBreaches found no updated listing in HHS by the end of the year, even when the entity apparently provided updated numbers to the Maine Attorney General’s Office. The table below has been updated to note when the entity did update their numbers but after the close of the 2023 year. Data have been updated as of March 23, 2024. If there is no update, then the “500” or “501” still appear in HHS’s public breach tool.
Enties Reporting 500 or 501 Patients Affected in 2023 Report to HHS
| Entity | Reported to HHS | Note |
|---|---|---|
| BBRx Pharmacy | 11/7 | |
| Berry, Dunn, McNeil & Parker, LLC | 11/21 | |
| Cardiothoracic and Vascular Surgeons P.A. of Waco | 12/12 | |
| Catholic Charities of the Archdiocese of Newark | 7/7 | Updated to 9,895 by March of 2024 |
| City of Hope | 12/12 | Updated to 827,149 in report to Maine in April 2024, but HHS not updated yet. |
| City of Philadelphia | 10/20 | |
| CKF Addiction Treatment, Inc. | 11/17 | |
| Coastal Orthopedics & Sports Medicine of Southwest Florida | 8/10 | Updated to 203,427 |
| Community Healthcare Network, Inc. | 11/30 | |
| Confucius pharmacy | 11/7 | |
| Cook County Health & Hospitals | 09/24 | PJ&A reported 1.2 million, but Cook County reported 500 to HHS and not updated by March 2024 |
| Cummins Behavioral Health Systems | 4/12 | Notified Maine that 157,688 affected but never updated HHS? by July 2024. |
| Dallas County | 4/14 | |
| Dallas County | 12/18 | |
| Delta Dental and affiliates | 9/05 | Updated to Maine on 12/29: 6,928,932 but not updated to HHS by March of 2024 |
| D'Youville Life and Wellness Community, Inc. | 12/14 | |
| Essen Medical Associates, P.C. | 5/16 | Still not updated by July 2024. |
| Fellowship Village | 10/08 | |
| H3- Hope, Healing, Health | 9/29 | Updated to 1,586 by March of 2024 |
| Hayward Sisters Hospital d/b/a St. Rose Hospital | 1/27 | Updated to 115,241 |
| Healix Infusion Therapy, LLC | 11/09 | Updated to 8,341 by March of 2024 |
| Henrietta Johnson Medical Center | 6/27 | Still not updated by July 2024 |
| Hospital Sisters Health System (HSHS) | 10/26 | |
| Intelligent Business Solutions | 1/13 | They reported 11,595 to Maine on 2/10/2023. Updated to HHS by March of 2024 |
| Konen & Associates dba Unified Pain Management | 7/12 | Updated to 5,922 |
| La Red Health Center | 10/20 | Updated to 39,759 by End of Year |
| Mannings 8th Ave Inc. | 11/7 | |
| McAlester Regional Medical Center | 8/21 | Updated to 37,731 by End of Year |
| McAllen Hospitals, LP d/b/a South Texas Health System 3/20 | 3/20 | Updated to 134,634 by March of 2024 |
| McLaren Health | 10/20 | |
| Minuteman Senior Services | 1/27 | Still not updated by July 2024 |
| Mississippi Children's Home Society, CARES Center, Inc., Mississippi Children's Home Services, Inc., d.b.a. Canopy Children's Solutions | 6/2 | Updated to 19,190 on April 11, 2024 in report to Maine. |
| Montgomery General Hospital | 4/11 | Removed from HHS? |
| Mount Carmel Care Center | 12/14 | |
| Mt. Graham Regional Medical Center | 9/29 | Updated to 35,688 by End of Year |
| Nelson Pharmacy Consulting Services PLC | 2/10 | Updated to 13,752 |
| Neurosurgical Associates of New Jersey (aka Neurosurgeons of NJ) | 12/4 | |
| North Shore Medical Labs | 5/26 | Still not updated by July 2024 |
| Norton Healthcare | 7/7 | Reported 2.5M to Maine in December. HHS not updated by March 2024. |
| One Brooklyn Health System | 01/18 | Subsequently reported 235,251 to Maine in April of 2023. HHS not updated by March 2024. |
| Paramedic Billing Services | 7/21 | Still not updated by July 2024 |
| Prestige Care | 11/6 | |
| Public Health Management Corporation | 7/6 | Still not updated by July 2024 |
| Ryu Physical Therapy, P.C. | 3/11 | HHS closed investigation with report of 500. Did they just accept/believe that number? |
| Senior Choice, Inc., dba The Atrium (216 Main Street, Johnstown, PA 15901), Beacon Ridge (1515 Wayne Ave, Indiana, PA 15701), and The Patriot (495 W Patriot St, Somerset, PA 15501) | 6/23 | Still not updated by July 2024 |
| Singing River Health (Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital plus clinics) | 10/18 | |
| South Jersey Behavorial Health Resources, Inc. | 6/4 | not updated to HHS by July 2024 |
| SouthCoast Medical Group | 8/17 | not updated to HHS by July 2024 |
| SysInformation Healthcare Services, LLC (BA) | 8/17 | No number finalized by July 2024 |
| Tennessee Orthopaedic Clinics | 5/19 | Updated to 46,679 by March of 2024 |
| The Pavillion at Health Park, LLC dba Park Royal Hospital | 7/14 | Still not updated by July 2024 |
| The Williamsport Home | 6/23 | Still not updated by July 2024 |
| Unified Operations Virginia LP (BA) | 6/2 | Still not updated by July 2024 |
| Valley Obstetrics & Gynecology PC | 6/9 | Updated to 61,327 by End of Year |
| Waterford Country School | 12/5 | |
| WellLife Network Inc. | 11/6 | |
| Youth and Shelter Services, Inc. | 11/3 |