This article introduces an upcoming series of posts scrutinizing federal and state regulators’ enforcement of data security and breach notification laws.
The inaugural post will consider how the U.S. Department of Health and Human Services (HHS) enforces the 60-day notification requirement when covered entities do not notify everyone by 60 days, misrepresent when they actually discovered the breach, and fail to update their report to HHS after their initial report. Does HHS really believe only 500 patients were affected by a ransomware attack or hack? If not, what are they doing to get entities to notify them and affected patients?
The second post in the series lists enforcement actions related to data security and breach notifications, categorized by federal agencies and state attorneys general.
The third post questions whether entities really fear enforcement by HHS OCR given how relatively seldom HHS OCR imposes monetary penalties or corrective action plans.
Other posts on enforcement will follow relating to other federal agencies and issues. And as time allows, Breaches will submit Freedom of Information requests and watchdog complaints to regulators.
While enforcement is a key issue and theme of this site, it’s not the only one. Be sure to look for posts on other subjects such as misleading data breach notification letters and the lack of transparency in incident response.