Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/7/2010
07:35 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

California Does Health Care Data Breaches Right

Since this spring, the California Department of Public Health has fined 12 health facilities about $1.5 million as a result of data breaches. Let's hope they keep fining organizations that fail to properly protect patient data.

Since this spring, the California Department of Public Health has fined 12 health facilities about $1.5 million as a result of data breaches. Let's hope they keep fining organizations that fail to properly protect patient data.If you've been reading my posts long enough, you know that I consider health care data breaches much worse on consumers that credit card breaches. With credit card breaches most users are held liable for $50 - if that - and fraudulent transactions can be cleaned up pretty quickly. Not always so with private health care data - once confidential information is spilled onto the Internet, it can't be put back into the bottle. Friends, co-workers, family members, and potential employers may forever know what was supposed to be kept confidential.

That's why when clicking through my normal blog and news reading last night, I was happy to read the post California Department of Public Health Continues to Fine Hospitals and Nursing Homes for Data Breaches that detailed the million and a half in fines as a result of Californian Health and Safety Code 1280.15(a) that requires health facilities to properly protect patient data:

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information.

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

$60,000 because the facility failed to prevent unauthorized access and disclosure of one patient's medical information by two employees on three occasions.

$250,000 because the facility failed to prevent the theft of 596 patients' medical information

Not only does California have this consumer protection law on their books, they're actively enforcing it. So, just as California set an important path with SB 1383 in 2003 - which sent into motion the legislatures in most states to follow suit - let's hope the state is setting another example that many more states will emulate.

For my security and technology observations throughout the day, follow me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.