By eagleconsultingpartners | Published: April 2, 2014
Undisclosed breaches are common in large healthcare enterprises according to recent survey
According to a recent security survey by ThreatTrack, nearly 6 in 10 enterprise malware analysts from healthcare organizations admit that they investigated or addressed a data breach that was never reported by their company. The survey, that enlisted responses from 200 malware analysts from a cross-section US-based industries, was conducted in October of 2013.
More Malware Analysts from larger enterprises (over 500 employees) said their organization did not disclose a data breach than those from smaller organizations.
The study findings reported by ThreatTrack did not include a detailed description of its methodology nor the number of respondents from the healthcare industry. Consequently, one must use caution in interpreting these results or drawing conclusions about practices in the healthcare industry. However, this finding is consistent with anecdotal observations made by Eagle Consulting that health care organizations are not reporting all breaches.
The HIPAA regulations include a prescribed risk analysis to be conducted to determine if a breach notification is required and no mention of this is made in the study. Based on the results of this risk analysis, reporting of the breach to HHS, patients, and in the event of large breaches, to the media, is required.
Healthcare organizations should be aware that intentional non-reporting of a breach, under the HIPAA regulations enforcement rules, could lead to a finding of “willful neglect”. In instances of willful neglect the highest tier of fines, over $50,000 per violation, applies. Our advice is to carefully follow all rules regarding the mandatory breach reporting, and to obtain professional support though the complex process.
