HHS Makes Changes to 'Wall of Shame' Breach Reporting Site

Marianne Kolbasuk McGee | Gov Info Security | July 25, 2017

Health Data Breaches Separately Listed as 'Resolved' or 'Under Investigation'

The Department of Health and Human Services has made changes to its website, widely referred to as the "wall of shame," that lists reports of major health data breaches affecting 500 or more individuals. The changes come after complaints from some members of Congress and others that the website unfairly exposes breached organizations to endless public scrutiny because incidents are indefinitely listed on the site. The site now features two separate listings of major breaches - a front page with incidents that were reported in the last 24 months and are still under investigation by HHS' Office for Civil Rights and an archive that includes breach reports older than 24 months old as well as all breaches reported since 2009 for which investigations have been resolved. Thus, no incidents have been removed from the tally.

New Features

The website was unveiled in 2009, as called for under the HITECH Act, which requires HHS to make public the information HIPAA covered entities report to OCR when they are involved in breaches of unsecured protected health information of 500 or more individuals. Since its launch, the website has listed the name of the entity reporting a major breach; the state where the entity is located; the number of individuals affected by the breach; the date of the breach; the type of breach - such as hacking/IT incident, theft, loss or unauthorized access/disclosure; and the location of the breached information, for example, laptop, paper records or desktop computer...