The Office for Civil Rights at the Department of Health and Human Services is probing a “hacking/IT incident” at Defense Health Headquarters.
HHS disclosed initial details of the breach on its Office for Civil Rights (OCR) breach portal website, in which it noted that 1,279 individuals have been affected by the incident.
The OCR has law enforcement powers and is responsible for ensuring private and public sector compliance with information privacy and security laws. It can require organizations to take remedial action and in some cases issue fines.
Entities whose data governance is regulated by OCR include public and private sector organizations in three groups: health plans, health care providers and health care clearinghouses. Federal government organizations defined as covered entities under the legislation include Medicaid, Medicare and the Veterans Health Administration.
Under the Health Insurance Portability and Accountability Act of 1996, covered entities are required to respond to a suspected breach within a defined timeline.
When an incident affects 500 or more individuals, the covered entity involved must notify HHS and the department secretary “without unreasonable delay,” and no more than 60 calendar days from discovery of the breach.
When a health data breach incident affecting fewer than 500 individuals is discovered, covered entities must still notify the HHS secretary but have within 60 days of the end of the calendar year in which the breach was discovered to do so.
OCR has a wide-ranging enforcement remit at HHS that focuses on ensuring compliance with the nation’s civil rights, conscience and religious freedom laws in addition to health information privacy and security laws.
An OCR spokesperson said: “Generally, OCR does not comment on open or potential investigations.”
A Defense Department spokesperson referred FedScoop’s query to HHS.