Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

California Fines Five Hospitals For Failure To Protect Patient Data

Unauthorized access leads to stiff penalties, showing teeth behind new state law

The California Department of Public Health (CDPH) announced today that five California hospitals have been assessed administrative penalties and fines totaling $675,000 for failing to prevent unauthorized access to confidential patient medical information.

"Medical privacy is a fundamental right and a critical component of quality medical care in California," said Dr. Mark Horton, director of CDPH. "We are very concerned with violations of patient confidentiality and their potential harm to the residents of California."

The following hospitals received penalties:

1. Community Hospital of San Bernardino was assessed a $250,000 fine after the facility failed to prevent unauthorized access of 204 patients’ medical information by one employee.

2. Community Hospital of San Bernardino was assessed a $75,000 fine after the facility failed to prevent unauthorized access of three patients' medical information by one employee.

3. Enloe Medical Center, Chico, was assessed a $130,000 fine after the facility failed to prevent unauthorized access of one patient's medical information by seven employees.

4. Rideout Memorial Hospital, Marysville, was given a $100,000 fine after the facility failed to prevent unauthorized access of 33 patients' medical information by 17 employees.

5. Ronald Reagan UCLA Medical Center, Los Angeles, was levied with a $95,000 fine after the facility failed to prevent unauthorized access of one patient's medical information by four employees.

6. San Joaquin Community Hospital, Bakersfield, was assessed a $25,000 fine after the facility failed to prevent unauthorized access of three patients' medical information by two employees.

CDPH assessed the penalties under new California legislation intended to protect the confidentiality of medical records. Under the law, an administrative penalty of $25,000 may be assessed against a medical facility for the breach of each patient's medical information. A penalty of up to $17,500 is added for each subsequent breach of each patient's medical information.

After being hit with a penalty, facilities are required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents. Facilities can appeal an administrative penalty by requesting a hearing within 10 calendar days of notification.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26246
PUBLISHED: 2020-12-03
Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions.
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.