It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA. This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a “Large Breach”), CEs must notify the affected individuals, the Secretary of the U.S. Department of Health and Human Services (“HHS”) and perhaps media outlets without unreasonable delay and in no case later than 60 days following a Large Breach. In turn, HHS posts each of such Large Breaches on its Web site list (the “HHS List”).
On September 11, 2013, the HHS List posted a Large Breach relating to Minne-Tohe Health Center/Elbowoods Memorial Health Center (collectively, the “Center”) that occurred on October 1, 2011 (the “2011 Breach”), almost two full years before the posting on the HHS List. The HHS List reveals that 10,000 individuals were reportedly affected by the 2011 Breach, which was reflected as attributable to “Improper Disposal, Unauthorized, Access/Disclosure” of a “Desktop Computer, Other.” There are several interesting aspects about the 2011 Breach.
First, the lapse of almost two years before the disclosure of the 2011 Breach represents one of the longest for a Large Breach on the HHS List that was attributable to an event which occurred on a single day. There are numerous Large Breaches on the HHS List that were reported by CEs as having extended for years, such as the most recent item posted to the HHS List on September 26, 2013 for South Shore Physicians, PC, which reflected a “Date of Breach” as running from 1/01/2006- 01/12/2012.
Second, while the circumstances surrounding the 2011 Breach are very unclear, one can speculate, based on limited facts available on the Internet, that there may be a credible explanation for the delay. That being said, it is very difficult to locate descriptive information on the Internet regarding the 2011 Breach or the Minne-Tohe Health Center itself (“MTHC”). There is no current Web site for MTHC. While the Elbowoods Memorial Health Center (“Elbowoods”) has a Web site, recent and current information is limited, and there would appear to be no reference to the 2011 Breach.
What one can deduce from an October 27, 2011 press release (the “Press Release”) from North Dakota Governor Jack Dalrymple is that, at the time of the 2011 Breach, MTHC was the main medical facility for the Three Affiliated Tribes (consisting of the Mandan, Hidatsa and Arikara Nation) on the Fort Berthold Reservation, located west of New Town, ND. According to the Press Release, MTHC served as the Reservation’s main clinic for more than 40 years.
The purpose of the Press Release, however, was primarily to celebrate the grand opening of Elbowoods in New Town, a $20 million clinic to provide expanded health care services to the Reservation. The Press Release says, “The 43,000-square-foot facility, which opened October 17,  replaces the existing Minne-Tohe Health Center located west of New Town.”
The foregoing information, limited as it may be, appears to provide a possible explanation for the long delay in disclosure of the 2011 Breach. At the reported time of the 2011 Breach, MTHC was in the process of winding down its 40 years of operations, and its personnel were transferring and transitioning the operations, including presumably the health records of MTHC, to Elbowoods. The likely tumult of activity in early October 2011 at MTHC may have brought about a loss of contact with the PHI that was the subject of the 2011 Breach.
Other aspects relating to the 2011 Breach are unexplained by the lack of public information, such as whether affected individuals were duly notified, even two years later, as required by HIPAA. Nonetheless, the 2011 Breach stands for the proposition that a CE that becomes a marcher in the Parade of Large Breaches may be well served by publishing sufficient information, including the reasons, if any, for a potential violation of HIPAA in addition to the Large Breach itself, e.g., undue delay in breach notification, as opposed to leaving meaningful questions unanswered.