A Note About 500 Breach "Markers"

In the 2024 Breach Barometer report on 2023 data (published March 2024), 
Protenus noted dozens of reports in HHS’s public breach tool where entities had reported 500 or more patients were affected by a breach using “500” or “501” as the marker. Although it is possible that 500 (or 501)  was an accurate number in some cases, in most cases, that appeared to just be a placeholder or “marker” to indicate that the entity did not yet know the actual number of patient records, but knew that there were more than the 500 number which would trigger a timely report to HHS. By the end of 2023, 53 of these breach marker reports had not been updated.    

As of September 2024, Protenus finds that 38 of those 53 reports filed in 2023 still have not been updated. In some of these cases, we have seen numbers for the incidents that were submitted to state regulators, but since most states do not qualify patients versus general public or consumer records, and do not require submissions to specifically identify the number of patients affected, submissions to individual states may not accurately reflect the number of patients that would be reported to HHS. Thus, we cannot accurately make comparisons or assumptions on the actual records breached from state specific reports.

Markers Are Not New

2023 wasn’t the first year in which we saw 500 as reported numbers marker. As of September 12, 2024, 36 entries in HHS’s public breach tool for the period of January 1, 2019 – December 31, 2022 still show 500 for the number affected. For those reports where closing statements were available from HHS, nine were from ransomware attacks, four involved phishing attacks, two involved insider-wrongdoing, four involved improper disposal, and one involved theft. Protenus suspects that at the very least, the ransomware incidents likely each affected more than 500 patients.

So far for 2024, 49 out of 488 reports on HHS’s breach tool report the 500 marker as the number of patients affected. One of those reports has already been investigated and closed. That incident involved improperly stored paper records with PHI. There is no indication whether the entity truly claims that 500 patients were affected or whether HHS ever questioned the entity about the number affected.

For the 2024 data, although 10% of reports using markers may seem like an 
acceptable percentage for these types of filings, consider this: one of the marker incidents is the gigantic Change Healthcare breach that affected an estimated one third of the American population and numerous covered entities. The breach occurred in February of 2024, but was only first reported to HHS in July with a 500 marker. According to the HHS website, “Change Healthcare’s breach report to OCR identifies 500 individuals as the ‘approximate number of individuals affected.’ This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal.” This event alone is likely to seriously skew all analyses and data for 2024. OCR initiated a compliance investigation in March, and that investigation is still pending.

Should There Have Been Updates by Now?

HHS's information for entities on submitting a notice of a breach to the Secretary states, in part:

“A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.

If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.”

For the 2019-2022 data, entities certainly have had enough time to submit revised estimates or actual numbers for affected patients. Were they unable to determine the real number affected, did the pandemic interfere with such investigations, or were there other issues affecting the ability to update breach totals? From a regulatory perspective, organizations followed the guidance to submit markers when the actual count is not yet known, so this satisfies the requirements for HHS.

And what about the 2023 data? If we assume entities are reporting breach 
numbers to individual states (albeit not all is health data), would they not also 
submit updated or revised estimates to HHS by now?

How Does HHS Enforce Updates to Markers?

In the 2024 Breach Barometer, we reported that DataBreaches.net had sought an explanation from HHS as to how it follows up on marker submissions. Getting no response to multiple inquiries, DataBreaches.net filed under Freedom of Information to request records dealing with policies and procedures when markers are used to report healthcare breaches. No substantive reply has been received.

As these entities are following the written guidance of reporting a breach within the 60 day window, and providing a marker in the event the actual number of records are unknown, one could argue they have done what is needed.

In a recent video interview.  HHS OCR Director Melanie Fontes Rainer stated,

We have reopened our HITECH audits. And so we're proactively doing audits as well right now.