Blog | Protenus
A Note About 500 Breach

A Note About 500 Breach "Markers"

In the 2024 Breach Barometer report on 2023 data (published March 2024), 
Protenus noted dozens of reports in HHS’s public breach tool where entities had reported 500 or more patients were affected by a breach using “500” or “501” as the marker. Although it is possible that 500 (or 501)  was an accurate number in some cases, in most cases, that appeared to just be a placeholder or “marker” to indicate that the entity did not yet know the actual number of patient records, but knew that there were more than the 500 number which would trigger a timely report to HHS. By the end of 2023, 53 of these breach marker reports had not been updated.    

As of September 2024, Protenus finds that 38 of those 53 reports filed in 2023 still have not been updated. In some of these cases, we have seen numbers for the incidents that were submitted to state regulators, but since most states do not qualify patients versus general public or consumer records, and do not require submissions to specifically identify the number of patients affected, submissions to individual states may not accurately reflect the number of patients that would be reported to HHS. Thus, we cannot accurately make comparisons or assumptions on the actual records breached from state specific reports.

Markers Are Not New

2023 wasn’t the first year in which we saw 500 as reported numbers marker. As of September 12, 2024, 36 entries in HHS’s public breach tool for the period of January 1, 2019 – December 31, 2022 still show 500 for the number affected. For those reports where closing statements were available from HHS, nine were from ransomware attacks, four involved phishing attacks, two involved insider-wrongdoing, four involved improper disposal, and one involved theft. Protenus suspects that at the very least, the ransomware incidents likely each affected more than 500 patients.

So far for 2024, 49 out of 488 reports on HHS’s breach tool report the 500 marker as the number of patients affected. One of those reports has already been investigated and closed. That incident involved improperly stored paper records with PHI. There is no indication whether the entity truly claims that 500 patients were affected or whether HHS ever questioned the entity about the number affected.

For the 2024 data, although 10% of reports using markers may seem like an 
acceptable percentage for these types of filings, consider this: one of the marker incidents is the gigantic Change Healthcare breach that affected an estimated one third of the American population and numerous covered entities. The breach occurred in February of 2024, but was only first reported to HHS in July with a 500 marker. According to the HHS website, “Change Healthcare’s breach report to OCR identifies 500 individuals as the ‘approximate number of individuals affected.’ This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal.” This event alone is likely to seriously skew all analyses and data for 2024. OCR initiated a compliance investigation in March, and that investigation is still pending.

All numbers in this blog post were accurate as of September 12, 2024.


Should There Have Been Updates by Now?

HHS's information for entities on submitting a notice of a breach to the Secretary states, in part:

“A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.

If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.”

For the 2019-2022 data, entities certainly have had enough time to submit revised estimates or actual numbers for affected patients. Were they unable to determine the real number affected, did the pandemic interfere with such investigations, or were there other issues affecting the ability to update breach totals? From a regulatory perspective, organizations followed the guidance to submit markers when the actual count is not yet known, so this satisfies the requirements for HHS.

And what about the 2023 data? If we assume entities are reporting breach 
numbers to individual states (albeit not all is health data), would they not also 
submit updated or revised estimates to HHS by now?

How Does HHS Enforce Updates to Markers?

In the 2024 Breach Barometer, we reported that DataBreaches.net had sought an explanation from HHS as to how it follows up on marker submissions. Getting no response to multiple inquiries, DataBreaches.net filed under Freedom of Information to request records dealing with policies and procedures when markers are used to report healthcare breaches. No substantive reply has been received.

As these entities are following the written guidance of reporting a breach within the 60 day window, and providing a marker in the event the actual number of records are unknown, one could argue they have done what is needed.

In a recent video interview.  HHS OCR Director Melanie Fontes Rainer stated,

We have reopened our HITECH audits. And so we're proactively doing audits as well right now.

She went on to discuss the lessons emerging from the Change Healthcare cyberattack, and it’s “unprecedented size and nature” of the HIPAA breach. One could deduce from these statements that they are focused on boosting HIPAA enforcement and getting to the root cause of these attacks, rather than looking back at whether entities have made updates to their initial breach reports.

Given the impact hackers and other threat actors have had on the breach of 
patient health data, does the number reported to HHS and posted on HHS’s public breach tool provide a full picture of records breached?

For better or worse, many firms use HHS’s published breach tool to consider 
trends in health data breaches. As Protenus has noted each year in its Breach 
Barometer report, interpreting data from HHS’s breach tool is fraught with 
ambiguity about what some categories mean or how to interpret some numbers, but one thing seems clear to us: if an entity is not reporting updated data following initial breach reporting, and if regulations do not require any further timely notification to patients and to the Secretary, patients may be left in the dark about how their healthcare providers protect – or have failed to protect – their privacy.

We will continue to update our readers on this topic as new information is made available.

Update Notice November 2024

Following the original posting of this blog, HHS has announced "On October 22, 2024, Change Healthcare notified the HHS Office for Civil Rights (OCR) that approximately 100 million individual notices have been sent regarding this breach. OCR has updated the answer to question #11 on OCR’s “ Change Healthcare Cybersecurity Incident Frequently Asked Questions ” webpage to on this issue. OCR will continue to update the FAQs as needed."

At the time of the original blog post, we had noted that according to the  HHS website , “Change Healthcare’s breach report to OCR identifies 500 individuals as the ‘approximate number of individuals affected.’ This is the minimum number of individuals affected that results in a posting of a breach on the  HHS Breach Portal. This event alone is likely to seriously skew all analyses and data for 2024.”

The update from the 500 marker to "approximately 100 million individuals" certainly illustrates the enormous impact on analyses for the year.

Thank you for your continued interest in healthcare data privacy and compliance insights.

 

 

Subscribe by email