Update (09 SEP 2010): The above title originally read "for non-disclosure of breach." Corrected to "late disclosure." Lucile Salter Packard Children's Hospital at Stanford University was fined $250,000 for not promptly reporting a data breach to the state of California. The story shows that preventing data breaches (in this case, using hard disk encryption software like AlertBoot on desktop computers) is better than cleaning up after one. For more reasons than you can imagine.
Update (09 SEP 2010): The above title originally read "for non-disclosure of breach." Corrected to "late disclosure."
Lucile Salter Packard Children's Hospital at Stanford University was fined $250,000 for not promptly reporting a data breach to the state of California. The story shows that preventing data breaches (in this case, using hard disk encryption software like AlertBoot on desktop computers) is better than cleaning up after one. For more reasons than you can imagine.
The children's hospital reported the theft of a desktop computer to the HHS, no doubt to comply with the interim final regulation of the HITECH Act of 2009. The breach is listed as having occurred on 11 JAN 2010, and affected 532 people. The hospital did not report the breach to California Department of Public Health (CDPH) until April 23, which is 102 days after the breach took place. The hospital was fined the maximum amount under California law, $250,000. The same law allows a fine to be assessed in the amount of $100 per day per patient medical record that was breached but not reported, according to healthleadersmedia.com. (Fines of up to $25,000 per patient record compromised can also be assessed, but it looks like this hasn't happened.) Taking into consideration the 532 patients, it means that the cap would have been reached in less than 5 days for failure to report the breach on time. CDPH requires a medical establishment to report the breach within 5 days of detection, so assuming it was taken into consideration, then the cap would have been reached in 10 days or so. Contrast that with HITECH requirements of reporting the breach within 60 days. California certainly marches to the beat of a different drum! The hospital has announced that it will appeal the penalty, noting: As soon as the hospital and law enforcement determined the computer was not currently recoverable, the hospital reported the incident to the CDPH and federal authorities, as well as the families of potentially-affected patients...a thorough investigation by the hospital and CDPH was conducted...was determined to be an isolated incident. [healthleadersmedia.com, my emphases]
The children's hospital reported the theft of a desktop computer to the HHS, no doubt to comply with the interim final regulation of the HITECH Act of 2009. The breach is listed as having occurred on 11 JAN 2010, and affected 532 people. The hospital did not report the breach to California Department of Public Health (CDPH) until April 23, which is 102 days after the breach took place.
The hospital was fined the maximum amount under California law, $250,000. The same law allows a fine to be assessed in the amount of $100 per day per patient medical record that was breached but not reported, according to healthleadersmedia.com. (Fines of up to $25,000 per patient record compromised can also be assessed, but it looks like this hasn't happened.)
Taking into consideration the 532 patients, it means that the cap would have been reached in less than 5 days for failure to report the breach on time.
CDPH requires a medical establishment to report the breach within 5 days of detection, so assuming it was taken into consideration, then the cap would have been reached in 10 days or so. Contrast that with HITECH requirements of reporting the breach within 60 days. California certainly marches to the beat of a different drum!
The hospital has announced that it will appeal the penalty, noting:
As soon as the hospital and law enforcement determined the computer was not currently recoverable, the hospital reported the incident to the CDPH and federal authorities, as well as the families of potentially-affected patients...a thorough investigation by the hospital and CDPH was conducted...was determined to be an isolated incident. [healthleadersmedia.com, my emphases]
I must admit there was something in the children's hospital's commentary that irked me: "The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today."[healthleadersmedia.com] This statement was made despite the fact that the stolen desktop computer only made use of password-protection, and not encryption software specifically designed to prevent access to data by unauthorized people. Granted, it wasn't claimed that only the most advanced technologies were used...but still. I mean, if you had to cool off a room, and you brought the most advanced fan (think of that Dyson bladeless fan, although I'm sure there are plenty of detractors that would argue about the "advanced" claim), instead of a 10-year-old-yet-functional air conditioning unit, you could still claim that you're using some of the most advanced cooling technologies available today. But, there's no way that fan is going to do as good a job as the old AC. And so it is with password-protection vs. encryption. I don't know what the hospital was using for physical safeguards, but when it comes to data safety, a claim of "the most advanced technologies" falls short if password-protection was used instead of an encryption program. Yes, there are many ways to go about protecting data. But, most data security experts will note that encryption is an important aspect of data security--if you need to secure data. Plus, it's about the only data security tool that allows safe harbor from breach notifications and fines under many state and federal laws, including the laws that affected the children's hospital above: AB 1298.
I must admit there was something in the children's hospital's commentary that irked me:
"The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today."[healthleadersmedia.com]
This statement was made despite the fact that the stolen desktop computer only made use of password-protection, and not encryption software specifically designed to prevent access to data by unauthorized people.
Granted, it wasn't claimed that only the most advanced technologies were used...but still.
I mean, if you had to cool off a room, and you brought the most advanced fan (think of that Dyson bladeless fan, although I'm sure there are plenty of detractors that would argue about the "advanced" claim), instead of a 10-year-old-yet-functional air conditioning unit, you could still claim that you're using some of the most advanced cooling technologies available today.
But, there's no way that fan is going to do as good a job as the old AC. And so it is with password-protection vs. encryption. I don't know what the hospital was using for physical safeguards, but when it comes to data safety, a claim of "the most advanced technologies" falls short if password-protection was used instead of an encryption program.
Yes, there are many ways to go about protecting data. But, most data security experts will note that encryption is an important aspect of data security--if you need to secure data. Plus, it's about the only data security tool that allows safe harbor from breach notifications and fines under many state and federal laws, including the laws that affected the children's hospital above: AB 1298.
Related Articles and Sites:http://www.databreaches.net/?p=13759http://www.healthleadersmedia.com/page-1/TEC-256217/Hospital-Fined-250000-For-Not-Reporting-Data-Breach