California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws.

Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified.

Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health information of California residents has likely been compromised in the attack.

California Attorney General Rob Bonta has recently issued a bulletin reminding all entities that house the confidential health-related information of California residents of their data breach reporting responsibilities under California law (Civil Code section 1798.82). Whenever there has been a breach of the health data of 500 or more California residents, a breach report must be submitted to the Office of the Attorney General. The California DOJ then publishes the breach notice on its website to ensure the public is made aware of the breach to allow victims to take appropriate action to protect themselves against identity theft and fraud. Individual notifications must also be issued to affected individuals.

“Timely breach notification helps affected consumers mitigate the potential losses that could result from the fraudulent use of their personal information obtained from a breach of health data,” said Attorney General Bonta. “Therefore, it is important for providers of healthcare to be proactive and vigilant about reducing their risk for ransomware attacks and to meet their health data breach notification obligations to protect the public.”

In the bulletin, Attorney General Bonta also urged healthcare organizations to take proactive steps to protect patient data against ransomware attacks.

“State and federal health data privacy frameworks, like the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), obligate healthcare entities and organizations that deal in health data to establish appropriate procedures to ensure the confidentiality of health-related information, including security measures that can help prevent the introduction of malware, including ransomware, to protect consumers’ healthcare-related information from unauthorized use and disclosure,” explained AG Bonta.

Healthcare organizations are encouraged to take the following proactive steps:

  • Keep operating systems and software housing health data current
  • Apply security patches promptly
  • Install and maintain antivirus software
  • Provide regular data security training to employees, including education about phishing attacks
  • Restrict users from downloading, installing, and running unapproved software
  • Maintain and regularly test the data backup and recovery plan for all critical information 

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.