Latest OCR Data Breach Update Reveals Breaches Currently Under Investigation

by | Jul 28, 2017

In June 2017, the Department of Health and Human Services confirmed it was considering updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’.

Section 13402(e)(4) of the HITECH Act obliges OCR to maintain a public list of privacy breaches of protected health information that have impacted greater than 500 individuals. All 500+ record data breaches made known to the OCR since 2009 are listed on the breach portal.

The data breach list includes a wide variety of privacy breaches, many of which happened through no fault of the covered entity and included no violations of HIPAA Rules.

OCR has been on the receiving end of some criticism for its breach portal due to this reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current state.

For example, burglaries will always occur even with adequate physical security in place and appropriate other controls in place. Additionally, rogue healthcare employees will access PHI out of curiosity or with inappropriate intent from time to time and with some consider it unfair for those breaches to remain on public display with no expiration.

OCR Director Roger Severino stated in June that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”

The HITECH Act requires OCR to have responsibility for the portal. However, the Act does not specify for how long that information must remain displayed. One potential aspect for change would be a time limit for displaying the breach summaries. There was concern from privacy supporters about the potential for losses of information from the portal, which would make it difficult for information about past breaches to be discovered for research purposes or by patients whose PHI may have been made public.

Alterations have been made to the breach portal. The breach portal now shows all data breaches that are currently under review by OCR. OCR looks into all reported data breaches that impact more than 500 individuals. Presently, the list shows there are 354 active reviews dating back to July 2015.

The order of the list has also been altered so the most recent breach reports are displayed at the top – making it more convenient for checking the latest organizations to report data and privacy breaches.

Data breaches that were made known to the OCR more than 24 months ago along with breach investigations that have now been closed off have not been lost, instead they have been moved to an active archive. This archive can be accessed through the site and is completely searchable, as before.

OCR has stated that the new updated portal “Puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved.”

Other improvement stated by OCR are:

  • Better functionality that highlights breaches currently under review and reported within the last 24 months
  • The addition of an archive that includes all older breaches and information about how breaches were settled
  • Improved website navigation to additional breach information
  • Tips and advice for consumers

More updates to the portal are to be made with the portal due to benefit from better functionality and new website features over time.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy