Health Data Leaks Prompt New Data Breach Notification Law
A recent data hack at UCLA affecting the health privacy rights of 4.5 million consumers has resulted in a swift response by the California legislature, and Governor Jerry Brown has signed into law three separate pieces of legislation designed to protect California consumers and keep them informed of data breaches affecting their health records.
UCLA Hack Affects 4.5 Million Consumers
The hack at UCLA was disclosed in July 2015 and was just one of many, if perhaps the most prominent, data hack affecting the California healthcare industry in recent years. UCLA administrators indicated that the hack was carried out by a sophisticated offshore group and resulted in the group gaining access to the personal information of 4.5 million people included in the UCLA Health Network, including social security numbers, health insurance IDs, and diagnosis and treatment records. It is unknown whether the hackers actually stole the information, but the information accessed could be used in order to carry out identity theft. UCLA was criticized for delaying the announcement of the hack to the affected consumers – an investigation into a potential hack had begun in October 2014, involving the FBI, and it was determined in May 2015 that the hack had occurred, but consumers were not notified until months later.
New Law Clarifies Data Breach Definitions and Strengthens Notice Requirements
The three bills signed into law are an attempt to strengthen data security rules while providing a framework by which organizations should notify consumers of data breaches. The first of the three new bills defines “encrypted” (with respect to properly encrypted data) to mean “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” Another portion of the bill expands the definition of “personal information” which, when breached, must be reported by the custodian of the information, to include information captured by automatic license plate recognition systems (while not directly related to the health care industry, the state’s collection and retention of license plate data through automated technology has become a whole other source of controversy with regard to privacy rights).
The remaining portion of the bill provides the framework that data breach notices are required to follow when such breaches occur, with a focus on readability and comprehension for the average consumer. Under the new law, data breach notices must be titled “Notice of Data Breach” and include the following subheadings:
- “What Happened?”
- “What Information Was Involved?”
- “What We Are Doing”
- “What You Can Do”
- “Other Important Information”
- “For More Information” (this section should include a phone number or web site)
Other Recent Health Care Hacks
The UCLA Health Center Hack was only one of numerous recent hacks against the healthcare industry. In May 2015, CareFirst BlueCross BlueShield announced that 1.1 million current and former consumers’ personal information had been compromised by a cyberattack when hackers gained access to an encrypted database in 2014. Just a few months earlier, in perhaps the most massive cyberattack on the US healthcare industry, Anthem Inc., the second-largest insurer in the country, announced that over 80 million consumers’ personal information may have been compromised after hackers broke into a database, gaining access to customers’ social security numbers, email addresses, birthdays, employment information, and medical identification numbers.
Work with Experienced Data Security Attorneys
For more information on strategies for you and your business to avoid data security breaches associated and respond to breaches that may have already occurred, contact the data security attorneys at McCune Wright Arevalo, LLP at (909) 345-8110.