HHS Makes Changes to 'Wall of Shame' Breach Reporting SiteHealth Data Breaches Separately Listed as 'Resolved' or 'Under Investigation'
The Department of Health and Human Services has made changes to its website, widely referred to as the "wall of shame," that lists reports of major health data breaches affecting 500 or more individuals. The changes come after complaints from some members of Congress and others that the website unfairly exposes breached organizations to endless public scrutiny because incidents are indefinitely listed on the site.
See Also: The Power and Scale of XDR
The site now features two separate listings of major breaches - a front page with incidents that were reported in the last 24 months and are still under investigation by HHS' Office for Civil Rights and an archive that includes breach reports older than 24 months old as well as all breaches reported since 2009 for which investigations have been resolved. Thus, no incidents have been removed from the tally.
The website was unveiled in 2009, as called for under the HITECH Act, which requires HHS to make public the information HIPAA covered entities report to OCR when they are involved in breaches of unsecured protected health information of 500 or more individuals.
Since its launch, the website has listed the name of the entity reporting a major breach; the state where the entity is located; the number of individuals affected by the breach; the date of the breach; the type of breach - such as hacking/IT incident, theft, loss or unauthorized access/disclosure; and the location of the breached information, for example, laptop, paper records or desktop computer.
Other new features on the breach tally include:
- Improved navigation to additional breach information;
- Tips for consumers about breaches, such as links to Federal Trade Commission information about what individuals can do to protect themselves from becoming identity theft victims.
As of July 25, OCR lists 354 major health data breaches under investigation that were reported within the last 24 months and another 2,006 breaches for which investigations have been resolved and/or for which reports were filed more than 24 months ago. A total of about 174.6 million individuals have been affected by all these breaches since 2009.
More Changes to Come?
In a statement announcing the updates, OCR says it "plans on expanding and improving the site over time to add functionality and features based on feedback. The HBRT [HIPAA Breach Reporting Tool] provides transparency to the public and organizations covered by HIPAA and helps highlight the importance of safeguards to protect the privacy and security of sensitive health care information."
OCR did not immediately respond to an ISMG request to comment on the site changes and why they were made.
OCR has long expressed its dislike for the "wall of shame" nickname applied to the site since its inception by researchers and media outlets. And some members of Congress have recently complained that the website is an unfair source of long-term embarrassment for the organizations listed - especially for those that report breaches that aren't necessarily their fault - because breach incidents are permanently listed on the tally, no matter how long ago they took place.
At a June 8 House subcommittee hearing examining cybersecurity challenges in healthcare, Leo Scanlon, HHS deputy chief information security officer, told Rep. Michael Burgess, R-Texas, that HHS Secretary Tom Price was re-evaluating the HHS breach reporting website.
The congressman had criticized the HHS breach tally during an April subcommittee hearing, arguing the website was unnecessarily punitive to some entities, especially in cases involving ransomware attacks in which data was successfully recovered without the healthcare provider paying a ransom (see Pros and Cons of Potential 'Wall of Shame' Changes).
"We heard you loud and clear at that hearing and we took that matter back to the secretary," Scanlon said.
Although the HHS breach tally potentially triggers extra public scrutiny for organizations reporting major breaches, it serves a significant purpose, some data security experts say.
"It is extremely important that all reported breaches affecting 500 or more people, including historic data, be publicly posted and readily available to the public, regardless of whether the entity was at fault," argues Kate Borten, president of the privacy and security consulting firm The Marblehead Group.
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says he respects the view of critics who look upon the list of reported breaches as a "type of branding" that an organization could not overcome. "Who could forecast in 2009 that there would be so many breaches reported as to make searching through the database unwieldy?" he asks.
But he also points out: "The list of self-reported breaches is very helpful for consumers and other participants in the healthcare industry to identify the types of issues causing breaches and periodicity of reports. The database is all the more useful when it allows for viewing of summaries of reviews into reports filed through the OCR breach reporting portal."
Holtzman - a former OCR senior adviser - notes that Congress used the HITECH Act "to provide transparency to patients and their families" on those organizations that have reported incidents to HHS in which the unsecured PHI of more 500 individuals was acquired or disclosed.
"There is bipartisan agreement that a breach has the greatest potential to harm the individual," he says. "It is fair and just to recognize it is the individual victim who needs protection and provide to the general public some notice that they may want to take action to protect against harms that could result from the unauthorized disclosure of their sensitive health or financial information."