Risk

12/7/2010
07:35 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

California Does Health Care Data Breaches Right

Since this spring, the California Department of Public Health has fined 12 health facilities about $1.5 million as a result of data breaches. Let's hope they keep fining organizations that fail to properly protect patient data.

Since this spring, the California Department of Public Health has fined 12 health facilities about $1.5 million as a result of data breaches. Let's hope they keep fining organizations that fail to properly protect patient data.If you've been reading my posts long enough, you know that I consider health care data breaches much worse on consumers that credit card breaches. With credit card breaches most users are held liable for $50 - if that - and fraudulent transactions can be cleaned up pretty quickly. Not always so with private health care data - once confidential information is spilled onto the Internet, it can't be put back into the bottle. Friends, co-workers, family members, and potential employers may forever know what was supposed to be kept confidential.

That's why when clicking through my normal blog and news reading last night, I was happy to read the post California Department of Public Health Continues to Fine Hospitals and Nursing Homes for Data Breaches that detailed the million and a half in fines as a result of Californian Health and Safety Code 1280.15(a) that requires health facilities to properly protect patient data:

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information.

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

$60,000 because the facility failed to prevent unauthorized access and disclosure of one patient's medical information by two employees on three occasions.

$250,000 because the facility failed to prevent the theft of 596 patients' medical information

Not only does California have this consumer protection law on their books, they're actively enforcing it. So, just as California set an important path with SB 1383 in 2003 - which sent into motion the legislatures in most states to follow suit - let's hope the state is setting another example that many more states will emulate.

For my security and technology observations throughout the day, follow me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7679
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 when ASP.NET is configured with execute permission on the virtual directories and does not validate the contents of user avatar images, could lead to remote code execution.
CVE-2018-7680
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 can reflect back HTTP header values.
CVE-2018-7681
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 allows JavaScript to be embedded in URLs placed in "Favorites" folder. If the user has certain administrative privileges then this vulnerability can impact other users in the system.
CVE-2018-7683
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.
CVE-2018-12617
PUBLISHED: 2018-06-21
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a craf...