A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.) 

The reader’s comments included the following:


I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .


The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS. 


The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.


However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.


To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services (“HHS”) the sum of $1.5 million to settle potential violations involving an alleged security breach (the “2010 Breach”) of Protected Health Information (“PHI”) under HIPAA. However, relatively little has been written that the 2010 Breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years. 

This blog series has been following breaches of PHI that have been reported on the HHS list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 502 List Breaches. The first List Breach posted for MEEI on the HHS List (the “2009 Breach”) was reported to have occurred by reason of a theft on November 10, 2009 that was said to have affected 1,076 individuals. 


The 2010 Breach was reported to have occurred on February 19, 2010, only slightly more than three months after the 2009 Breach. According to the HHS List, it affected 3,621 individuals. A statement from MEEI on its Web site reports that HHS review of the 2010 Breach was “triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010.”  MEEI further stated that it “has no indication that any patients were harmed by this isolated incident.” Query: How “isolated” was the incident in view of the fact that the 2010 Breach occurred soon after the 2009 Breach?


Potential entries in the PHI Breach Parade did not end for MEEI, however, with the 2010 Breach. On April 16, 2012, during a time that MEEI was likely to have been heavily negotiating with HHS about the $1.5 million payment, MEEI posted the following statement on its Web site (the “2012 Statement”), about which relatively little was reported in the media:


On March 5, 2012, the Quincy, Massachusetts, Police Department informed [MEEI] that they were investigating a [MEEI] employee for inappropriately using the names, Social Security numbers and dates of birth of certain individuals, some of whom were believed to be MEEI patients. . . .

While [MEEI] is only aware of four individuals whose personal information was actually misused, as a precaution we are notifying, by mail,  approximately 3,600 patients whose Social Security numbers were available to the former employee in the course of performing her assigned duties.

The 2012 Statement went on to say that MEEI will “provide one year of free credit monitoring to potentially affected individuals to protect them against possible harm resulting from this incident.”  [Emphasis supplied.]


It is perplexing that nothing about the 2012 Breach has been posted on the HHS List to this point, although


(i)         the MEEI Web site reported the event more than six months ago,

(ii)        the number of “potentially” affected individuals far exceeded the 500 minimum threshold for placement on the HHS List, and

(iii)       the period during which MEEI was dealing with HHS after the 2010 Breach overlapped with the occurrence and aftermath of the 2012 Breach.

Queries: Did MEEI not report the 2012 Breach to the HHS List because it ultimately concluded that the 2012 Breach did not involve more than 500 individuals even though it does offer credit monitoring to more than 3,600 individuals? (As a potential third time marcher in the Breach Parade, MEEI was certainly aware of its reporting obligations to HHS.) In other words, did MEEI determine by a reasonable risk assessment that the potential access by the former employee to PHI of 3,600 individuals was not sufficient to require a report for the HHS List, absent more substantial proof that the PHI of 500 or more individuals was actually accessed and/or that 500 or more individuals were actually harmed by such access?

Alternatively, is it simply possible that HHS has been slow in reporting additional List Breaches on the HHS List, similar to a suggestion in an earlier post in this blog series that HHS may be slow in posting Summaries of cases that it has investigated and closed?

This blog series will continue to monitor developments in this area.