Risk
12/7/2010
07:35 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

California Does Health Care Data Breaches Right

Since this spring, the California Department of Public Health has fined 12 health facilities about $1.5 million as a result of data breaches. Let's hope they keep fining organizations that fail to properly protect patient data.

Since this spring, the California Department of Public Health has fined 12 health facilities about $1.5 million as a result of data breaches. Let's hope they keep fining organizations that fail to properly protect patient data.If you've been reading my posts long enough, you know that I consider health care data breaches much worse on consumers that credit card breaches. With credit card breaches most users are held liable for $50 - if that - and fraudulent transactions can be cleaned up pretty quickly. Not always so with private health care data - once confidential information is spilled onto the Internet, it can't be put back into the bottle. Friends, co-workers, family members, and potential employers may forever know what was supposed to be kept confidential.

That's why when clicking through my normal blog and news reading last night, I was happy to read the post California Department of Public Health Continues to Fine Hospitals and Nursing Homes for Data Breaches that detailed the million and a half in fines as a result of Californian Health and Safety Code 1280.15(a) that requires health facilities to properly protect patient data:

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information.

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

$60,000 because the facility failed to prevent unauthorized access and disclosure of one patient's medical information by two employees on three occasions.

$250,000 because the facility failed to prevent the theft of 596 patients' medical information

Not only does California have this consumer protection law on their books, they're actively enforcing it. So, just as California set an important path with SB 1383 in 2003 - which sent into motion the legislatures in most states to follow suit - let's hope the state is setting another example that many more states will emulate.

For my security and technology observations throughout the day, follow me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.