Breach of Washington Township Health Care District Data
Almost three months after suffering a breach of personal information, Washington Township Health Care District has submitted a breach notice to the California Attorney General’s Office detailing a breach of personal information of California residents.
The data breach was discovered on October 8, 2015, and involved the potential accessing of a Washington Community Health Resource Library computer by an unauthorized individual. A library identification card database was potentially compromised in the incident. The database contained names, addresses, and driver’s license numbers. No other data were accessed or compromised in the security breach.
An investigation was launched upon discovery of the security breach and an external computer forensics firm was contracted in this regard. While no evidence was uncovered to suggest the database file was accessed, it remains a possibility.
In response to the breach, information security policies are being reviewed and will be updated, as necessary, to strengthen security. It is not clear at this point in time how many individuals were affected. All have been offered a year of credit monitoring services without charge.
Updated Californian Breach Notification Laws Now Effective
On January 1, 2016, October updates to California breach notification laws came into effect. The new laws require all agencies suffering data breaches that affect residents of California to issue breach notifications in a new format to aid understanding.
The law change requires breach notification letters to be written in plain English, contain the title “Notice of Data Breach”, and provide information under specific headings: “What Happened?”, “What Type of Information Was Involved?”, “What Are We Doing?”, “What Can You Do?” and “For More Information.”
The agency suffering the breach is also required to place a “Notice of Data Breach” in a prominent location on their website, if one is maintained, and that must remain for a minimum period of 30 days. An electronic copy of a sample breach notice must also be sent to the California Attorney General’s office in cases of a breach of “personal information” affecting more than 500 individuals.
Breach notification letters must be issued without unreasonable delay, except when doing so may compromise a law enforcement investigation. It is not clear whether this was the case and was the reason for the delay. Under the new breach notification laws, if this is the case it is required to be mentioned in the notifications.