GAO: HHS Needs Improved Data Breach Reporting

Mark Wilson/Getty Images

Data breaches have increased each year since 2015.

The Government Accountability Office is recommending the Department of Health and Human Services establish a feedback mechanism to improve the effectiveness of its data breach reporting process.

The singular recommendation, issued in a June 27 audit, follows a significant increase in the number of data breaches involving unsecured protected health information at HHS. The agency has experienced year over year increases in data breaches affecting 500 or more individuals since 2015, with the total number of individuals affected each year rising to as high as 113 million people.

According to the audit, hacking and IT incidents have accounted for approximately 55% of the 3,200 breaches at the agency from 2015 to 2021. Unauthorized access and disclosure, theft, loss and improper disposal accounted for the rest of the breaches, according to the HHS Office of Civil Rights.

“According to OCR’s breach data, hacking and IT incidents have significantly increased by 843 percent since 2015. Similarly, unauthorized access and disclosure have increased by 43 percent since 2015,” the audit states.

OCR is responsible for implementing HIPPA privacy, security and breach notification rules, which includes management of the breach reporting process. However, GAO notes OCR “does not have a method for covered entities to provide feedback on the breach reporting process, nor did the office indicate that it had plans to develop one.”

“Without a clear mechanism to provide feedback to OCR, covered entities and business associates can face challenges during the breach reporting process. Further, soliciting feedback on the breach reporting process could help OCR improve aspects of the process,” auditors note.

HHS concurred with GAO’s recommendation.