HHS has recently updated the HHS Wall of Shame…I mean the HIPAA Breach Reporting Tool (HBRT). Whatever you want to call the tool, you can find the most updated version here. Here’s a short description from the press release about the updates to the breach notification tool:
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today launched a revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved. The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents. The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.
The new design is nice and it makes sense to finally archive some of the breaches on the list. How long should we condemn an organization that’s had a breach by having them on the list? Of course, it is still available on the archive.
Since the start of the HIPAA Breach notification tool (October 2009), there have been 1674 breach notifications (only includes breaches of 500 people or more). In just the last 24 months they’ve posted 364 breaches with nearly 28 million individuals affected. I’ll have to get my friends at Qlik to import the data to do more analysis of the data. Here’s a look at the data the tool provides:
The tool includes: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer).
I wish they included more details on what caused the breach and more practical ways to defend against the various breaches. That would make the list a lot more actionable. However, I also understand why that would be a hard task to accomplish.
Just looking over some of the recent breaches, I wasn’t shocked by the number of hacking incidents that are being reported. We’ve widely reported on these types of hacking incidents as well. However, I was pretty shocked by how many of the recent breaches were by email. Once again, I wish I had a lot more information about what actually happened with these email breaches. Looks like HHS collects it when someone files a breach. I guess I understand why they can’t share the individual answers, but it would be nice to have some summary reports of actions taken by those that were breached.
What do you think of HHS’ updates to this tool? Is it useful in helping them reach their goal of making the industry safer? Is there something else they could do with the tool to make it work better? We look forward to reading your thoughts in the comments.