Archives: PHI Security Breach Notification

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and  here the volume of List Breaches that occurred in earlier periods. As of August 13, 2013, there were postings of 646 List Breaches.

In the almost 3½ years since the inception of the HHS List on March 4, 2010, there have been 646 postings for an annualized average of approximately 189 postings per twelve-month period. Approximately 334 (51.7%) of the postings reported the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 66 additional List Breaches reporting the type of breach as a “loss” of various types is added to the 334 “theft” events, the total for the two categories swells to approximately 400 or 61.9% of the 646 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more significant may be the fact that approximately 230 (35.6%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices. Theft or loss of laptops or other portable electronic devices thus constituted 57.5% of the approximately 400 List Breaches that involved reported theft or loss.

It is likely that it will be a number of months after the effective date of the Omnibus Rule on September 23, 2013, that List Breaches can begin to be evaluated under post-Omnibus Rule standards, such as the presumption that a PHI security event is a breach unless established otherwise. It will be interesting to see if any of the numbers reported above materially change in the post-Omnibus Rule environment.

As has been emphasized in the past, it may have become more a question of when a covered entity (“CE”) or business associate (“BA”) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in portable electronic devices to receive, access and store PHI should be monitored carefully by CEs and BAs, as it can be expected that this type of security breach will continue to expand. Effective policies and procedures must be established by CEs and BAs to govern use of such electronic devices, both with respect to entity-supplied devices and personal devices. Many individuals have multiple portable electronic devices of both types that may become repositories of unprotected PHI, whether voluntarily or involuntarily.

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

 

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

 

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices.  Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss. 

 

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches.  The sample sizes are relatively small, so that further following of these numbers is warranted.

 

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach. 

 

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.) 

The reader’s comments included the following:

 

I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .

 

The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS. 

 

The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.

 

However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.

 

To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services (“HHS”) the sum of $1.5 million to settle potential violations involving an alleged security breach (the “2010 Breach”) of Protected Health Information (“PHI”) under HIPAA. However, relatively little has been written that the 2010 Breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years. 

This blog series has been following breaches of PHI that have been reported on the HHS list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 502 List Breaches. The first List Breach posted for MEEI on the HHS List (the “2009 Breach”) was reported to have occurred by reason of a theft on November 10, 2009 that was said to have affected 1,076 individuals. 

 

The 2010 Breach was reported to have occurred on February 19, 2010, only slightly more than three months after the 2009 Breach. According to the HHS List, it affected 3,621 individuals. A statement from MEEI on its Web site reports that HHS review of the 2010 Breach was “triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010.”  MEEI further stated that it “has no indication that any patients were harmed by this isolated incident.” Query: How “isolated” was the incident in view of the fact that the 2010 Breach occurred soon after the 2009 Breach?

 

Potential entries in the PHI Breach Parade did not end for MEEI, however, with the 2010 Breach. On April 16, 2012, during a time that MEEI was likely to have been heavily negotiating with HHS about the $1.5 million payment, MEEI posted the following statement on its Web site (the “2012 Statement”), about which relatively little was reported in the media:

 

On March 5, 2012, the Quincy, Massachusetts, Police Department informed [MEEI] that they were investigating a [MEEI] employee for inappropriately using the names, Social Security numbers and dates of birth of certain individuals, some of whom were believed to be MEEI patients. . . .

While [MEEI] is only aware of four individuals whose personal information was actually misused, as a precaution we are notifying, by mail,  approximately 3,600 patients whose Social Security numbers were available to the former employee in the course of performing her assigned duties.

The 2012 Statement went on to say that MEEI will “provide one year of free credit monitoring to potentially affected individuals to protect them against possible harm resulting from this incident.”  [Emphasis supplied.]

 

It is perplexing that nothing about the 2012 Breach has been posted on the HHS List to this point, although

 

(i)         the MEEI Web site reported the event more than six months ago,

(ii)        the number of “potentially” affected individuals far exceeded the 500 minimum threshold for placement on the HHS List, and

(iii)       the period during which MEEI was dealing with HHS after the 2010 Breach overlapped with the occurrence and aftermath of the 2012 Breach.

Queries: Did MEEI not report the 2012 Breach to the HHS List because it ultimately concluded that the 2012 Breach did not involve more than 500 individuals even though it does offer credit monitoring to more than 3,600 individuals? (As a potential third time marcher in the Breach Parade, MEEI was certainly aware of its reporting obligations to HHS.) In other words, did MEEI determine by a reasonable risk assessment that the potential access by the former employee to PHI of 3,600 individuals was not sufficient to require a report for the HHS List, absent more substantial proof that the PHI of 500 or more individuals was actually accessed and/or that 500 or more individuals were actually harmed by such access?

Alternatively, is it simply possible that HHS has been slow in reporting additional List Breaches on the HHS List, similar to a suggestion in an earlier post in this blog series that HHS may be slow in posting Summaries of cases that it has investigated and closed?

This blog series will continue to monitor developments in this area.

As reported in the Houston Chronicle on June 28, 2012, an unencrypted laptop computer containing data on more than 30,000 patients of the University of Texas MD Anderson Cancer Center (“MD Anderson”) was stolen from a faculty member’s home on April 30, 2012. The stolen laptop scenario has become all too familiar (this blog series has reported on the high proportion of breaches resulting from the theft or loss of laptops or other portable devices), and even the high number of patients affected pales in comparison with the roughly 5 million patients affected in the SAIC breach

What caught my attention was the fact that MD Anderson posted notice of the breach on its website on June 28th, exactly 59 days after the theft took place. Pursuant to the interim final breach notification regulations, a covered entity must provide notice to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.”   Although an exception exists for prompt notification where a law enforcement official tells the covered entity (or business associate) that notification would impede the criminal investigation or cause damage to national security, the time required for performance of a criminal investigation is, presumably, less than 60 days. MD Anderson’s website notice gives every indication that it acted promptly and investigated thoroughly:

 

MD Anderson was alerted to the theft on May 1 and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers.

 

Would patients have been better off knowing their data might have been illegally accessed prior to day 59 following the breach, or does the benefit of a thorough investigation outweigh the risk that earlier notification would have benefited patients? 

 

Navigant Consulting released an “Information Security and Data Breach Report” in April of this year that found that the average number of days between discovery of a breach involving medical records and disclosure was 63 days in the third quarter of 2011, compared with 65 days in the fourth quarter of 2011, an increase of 3%, despite the requirement that applicable HIPAA law requires patients to be notified “without unreasonable delay” and no later than 60 days following the breach. When analyzed in terms of the entity reporting the breach, “[h]ealthcare entities registered an 84% increase between discovery and disclosure from 51 days in Q3 to 94 days in Q4.” 

 

From this perspective, it seems MD Anderson did pretty well. Had the faculty member delayed his or her original notification to MD Anderson regarding the theft, however, MD Anderson might have been hard-pressed to meet the 60 day deadline. Covered entities such as MD Anderson (and business associates who provide protected health information to subcontractors) should be reminded that prompt communication and investigation is essential to meeting the “without unreasonable delay and in no case later than 60 calendar days” notification requirement, and must balance the need to get the facts straight with the need to alert affected individuals, and, where applicable, the Department of Health and Human Services and state agencies, as quickly as possible. 

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a recent posting, the HHS List includes guidance that covered entities (“CEs”) and business associates (“BAs”) can use in the event of a PHI security breach in the form of brief summaries (“Summaries”) of the breach cases that the federal Office of Civil Rights (“OCR”) has investigated and closed. 

On June 26, 2012, HHS and OCR reported in a press release (the “Press Release”) that Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), had agreed to pay HHS $1.7 million with respect to a resolution of possible violations of HIPAA, which included the compromising of PHI of 501 affected individuals by means of a theft that occurred on October 12, 2009 of an “Other Portable Electronic Device” (the “2009 Breach”).  Alaska Medicaid has also agreed, among other things, to take corrective action to properly safeguard the PHI of Medicaid beneficiaries. An official statement by Alaska Medicaid Commissioner Bill Streur relating to the resolution with HHS of the 2009 Breach is posted on the Alaska Medicaid Web site.

 

While the Alaska Medicaid resolution has not yet been reported in a Summary on the HHS List, visiting the HHS List reveals that the 2009 Breach was originally posted by HHS in the very first batch of List Breaches on February 22, 2010. What is also interesting is that Alaska Medicaid had a later separate List Breach, reportedly involving the compromising of PHI of approximately 2,000 affected individuals by means of a theft on September 7, 2010 of an “Other Portable Electronic Device” (the “2010 Breach”). The 2010 Breach was reported as involving Alaskan AIDS Assistance Association as a BA.

 

However, it is difficult to identify readily that the 2009 Breach and the 2010 Breach involved the same CE, Alaska Medicaid. The 2009 Breach is alphabetically indexed under “Alaska Department of Health and Social Services,” while the 2010 Breach is indexed under “State of Alaska, Department of Health and Social Services.” It would be helpful for HHS to endeavor to use CE and BA names consistently to assist in analysis by those visiting the HHS List.

 

The Press Release of HHS regarding the 2009 Breach quotes OCR Director Leon Rodriguez: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

 

It commendable that OCR enforces compliance with HIPAA against private and public entities with the same vigor. Query, however, to what extent is it wise for HHS to exact a $1.7 million payment from Alaska Medicaid? Alaska Medicaid oversees a program to provide medical care to the indigent in Alaska, a program that is funded by the taxpayers of Alaska and the U.S. In almost all states, Medicaid programs are financially embattled and under severe economic and political stress. The large payment by Alaska Medicaid to HHS is an enforced shifting by a state agency of “other people’s money” to HHS that may have to be replaced by increased taxes or reductions in future benefits for Alaskan indigents.

 

This blog series will continue to review various of the OCR Summaries and resolutions to give guidance to CEs and BAs.  We will also monitor future developments with respect to the 2010 Breach.

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 435 List Breaches affecting marchers in the ever-lengthening parade, although the number of marchers has remained unchanged for several weeks.

The most recent posting on this blog series by my partner Elizabeth Litten, Esq., discussed a recent presentation by Linda Sanches, Office of Civil Rights ("OCR") Senior Advisor and the lead on HIPAA Compliance Audits, on the progress of the 2012 HIPAA Privacy and Security Audit Program.  As pointed out in the earlier posting, the presentation by Ms. Sanches included some general tips that covered entities (“CEs”) and business associates ("BAs") can use to reduce the likelihood of HIPAA violations, one of which is PHI security breaches.

 

The HHS List includes additional focused guidance from OCR that CEs and BAs can use in efforts to avoid, or in the event of, a PHI security breach (even if it does not rise to the level of a List Breach) in the form of  brief summaries of the breach cases that OCR has investigated and closed. To date, the HHS List has posted approximately 93 summaries (“Summaries”) out of the 435 postings respecting marchers in the Breach Parade (which include some multiple postings of List Breaches where an alleged breach by one BA caused a number of CEs to have List Breaches). Of the 93 List Breaches for which Summaries have been prepared by OCR, 18 (approximately 20%) were reported as involving BAs.  

 

These Summaries can provide valuable clues for CEs and BAs on how to deal with a HIPAA security breach. One example is contained in a Summary respecting a List Breach reported on January 29, 2010 by Thrivent Financial for Lutherans (“Thrivent”) in Wisconsin. The List Breach, which did not report an involved BA, related to a theft of laptops that contained the PHI of approximately 9,400 individuals. (The original report by Thrivent had stated that approximately 9,500 individuals had been affected.) The OCR Summary included the following statement:

 

The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR’s formal investigation brought the CE into compliance.

 

OCR clearly viewed it as noteworthy and commendable that Thrivent had voluntarily taken necessary steps for compliance before OCR conducted its investigation. That should be an alert for those who suffer HIPAA breaches that all appropriate and reasonable remedial measures should be undertaken promptly to demonstrate and document compliance before OCR comes knocking on the door of the CE. This blog series will continue to review various of the OCR Summaries as to guidance that they may contain respecting PHI security breaches.

This blog series has been following the ever-growing parade of large security breaches of Protected Health Information (“PHI”). Within the last week, The Boston Globe reported that venerable Boston Children’s Hospital (the “Hospital”), the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach (the “Breach”). The Globe article by Chelsea Conaboy reported that the Breach occurred when an employee of the Hospital, while at a conference in Buenos Aires, Argentina, “lost a laptop containing a file with information about 2,159 patients, including names, birth dates, diagnoses, and treatment information.” The laptop, which was reported by the Hospital as having been password protected but not encrypted, did not include financial data or Social Security numbers.

The Breach is one of the first reported instances of the loss or theft outside of the United States of a laptop that contained unsecured PHI. Nonetheless, it is uncertain as to whether the PHI stored on the computer has been or will be inappropriately accessed and used.

The Breach has not yet been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of reported breaches of unsecured PHI affecting 500 or more individuals. Nor does a visit to the Hospital’s Web site and its on-line “Newsroom” and Press Releases for 2012 reveal any reference to the Breach.  

The Hospital does have a Code of Conduct on its Web site that contains a short reference to “Patient Privacy and Confidentiality.” However, an endeavor to open the links under that heading to referenced “Patient Health Information Policies” and “Information Security Policies” only results in “Oops! There was an error finding that page” and instructions to try again. Moreover, the Code of Conduct has a bottom line on each page that recites a publication date of 12/06, well before the enactment of the federal HITECH Act.

A number of conclusions can be drawn from the information currently available regarding this unfortunate Breach. If the Hospital takes “this incident and the protection of protected health and personal information extremely seriously,” as the Hospital’s chief information officer was quoted in the Globe article, the Hospital should, at a minimum, as many other covered entities that have suffered PHI security breaches have done, prominently place its press release respecting the Breach on its Web site.

The Hospital should also appropriately update its Code of Conduct respecting patient privacy and confidentiality and rectify the “dead” links that would provide meaningful information on such subjects to those who seek it.

Finally, the Hospital and other covered entities should consider adopting clear policies governing the protection and transporting outside of the United States of laptops and other electronic devices that contain PHI.

Postings on this blog series have been following the continuing parade of security and privacy breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals. On March 30, 2012, a large data security breach (the “Utah Breach”) that has not yet been posted on the HHS List was experienced by the Utah Department of Technology Services (“DTS”) on a computer server (the “DTS Server”) that stores Medicaid and Children’s Health Insurance Program (“CHIP”) claims data.  

DTS detected the Utah Breach on Monday, April 2, 2012 after the putative thieves began removing data from the DTS Server. Upon detection, DTS stated that it immediately shut down the DTS Server, has identified where the breakdown in security occurred and has implemented new processes to ensure this type of breach will not happen again.

 

DTS and the Utah Department of Health (“UDOH”) have established a separate Web page to provide “Latest Information” respecting the Utah Breach (the “Update Page”). The Update Page has turned out to be a useful reporting mechanism for what has become a continuously rising count of individuals affected by the Utah Breach. Currently the Update Page reports that “approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.” Therefore, the total current number of identified affected individuals of the Utah Breach appears to be approximately 780,000. However, the various numbers of victims reflected on the Update Page are somewhat confusing, possibly due at least in part to the addition on a serial basis of newly discovered victims.

Information on the DTS Server included claims payment and eligibility inquiries regarding potential Medicaid and CHIP claimants. According to UDOH:

This could include sensitive, personal health information from individuals and health care providers such as Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes.

Interestingly, UDOH and DTS have made a clear distinction as to the assistance and support that they will provide to identified victims of the Utah Breach. Victims who had their Social Security numbers (“SSNs”) stolen will be offered one year of free credit monitoring services. Those victims of the Utah Breach who did not have SSNs stolen will not be offered free credit monitoring services, even though they have had other information compromised that has been characterized by UDOH as “less-sensitive.” Moreover, those who had SSNs stolen will receive priority in being alerted as to the Utah Breach over those victims who did not have stolen SSNs.

The Utah Breach is not the first large PHI breach experienced by UDOH.  The HHS List reports that on March 1, 2010, UDOH had an "Unauthorized Access/Disclosure" affecting 1,298 individuals respecting "Computer, Paper."  The HHS List also reflects that Utah Department of Workforce Services was involved as a Business Associate in the 2010 UDOH PHI breach.

It is possible that the current offering by UDOH of free credit monitoring services only to those Utah Breach victims who had stolen SSNs may be reevaluated or changed in the future. This blog series has previously reported the abrupt about-face by SAIC to offer credit monitoring services to the millions of victims of its large 2011 PHI breach after pressure by the Department of Defense to do so.

We will continue to monitor developments with regard to the Utah Breach.