Public understanding of cybersecurity events is extremely inconsistent, including breaches that involve large amounts of protected health information (PHI) -- America's most regulated data category.
Federal law requires organizations to publicly disclose any incident that may have exposed PHI for 500 or more individuals, with disclosure expected within 60 days from the point when an organization should have known that exposure was possible. In addition to sending breach notice letters to affected individuals, organizations are required to
For example, the OCR breach portal only provides a few types of information summaries that obscures which organization was actually breached and the total number of organizations/individ