A Department of Health and Human Services office announced a new push to investigate health information breaches affecting fewer than 500 people — a shift that could be reflective of a recent spate of ransomware attacks on hospitals and medical practices, some experts said.
“It definitely makes it more vital for any organization to be more concerned about risks — but especially, I would say, smaller organizations that typically face a smaller risk because of their size” and the fact that they hold less data, said Axel Wirth, health care solutions architect at Symantec.
Each of the Office of Civil Rights’ nine regional units “will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches,” according to the announcement, sent out on the office’s privacy and security Listservs last month.
“OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals,” the notice said.
The regional offices will consider factors like the size of the breach and whether it involved the theft or improper disposal of unencrypted protected health information.
Federal rules require that health care providers or other groups covered by Health Insurance Portability and Accountability Act report breaches affecting more than 500 people within 60 days of discovery, and smaller breaches must be disclosed annually.
“OCR’s Regional Offices investigate all reported breaches involving the PHI [protected health information] of 500 or more individuals,” the notice says. “Regional Offices also investigate reports of smaller breaches (involving the PHI of fewer 500 individuals), as resources permit.”
Though, it hasn’t scrutinized as many smaller breaches.
“I’ve heard people speculate that reporting of those smaller breaches is pretty poor because of the lack of enforcement and therefore the very low legal risk of not complying,” Wirth said.
But in the notice, the office highlighted some recent efforts to investigate smaller breaches, including one that impacted 412 people.
Wirth said the new announcement indicates OCR “understands the spectrum of risks and they clearly want to do a better job of analyzing where the weaknesses are in the system.”
Beau Woods, deputy director of the Atlantic Council’s Cyber Statecraft Initiative, said even small ransomware attacks can “have a significant impact on health care providers and the health care system.”
“It doesn’t matter the size of the potential breach of patient records,” he said. “There are other risks that even small breaches pose to health care institutions in the public health system, such as patient care impacts, which is not related to data.”
Indeed, a ransomware attack could effectively shut down services at a hospital, he said.
“But, probably more worrying: If this reaches some kind of critical mass, then it could shake patients’ confidence in the public health system,” he said. “And it could be something that deters people from seeking medical care for preventable things.”