By Brandon M. Jasso, CIPP/US
On August 24, 2021, California Attorney General Rob Bonta (“AG”) issued guidance to healthcare facilities and providers to remind them of their existing and continuing obligations under state and federal health data privacy laws, including health data breach reporting requirements. The guidance came via a bulletin, which was sent to a variety of stakeholder organizations, including the California Hospital Association, the California Medical Association, and the California Dental Association (see here). The AG reminded healthcare providers that the California Department of Justice is committed to enforcing consumer protections and health privacy laws.
The AG further reminded providers and organizations that attacks to the healthcare section have interrupted services to patients, which has, and will continue, to adversely affect patients’ trust. The AG further pointed out that data breaches result in long term effects that outlast the initial breach such as “fraudulent use of [patients] personal information obtained from a breach of health data.” Providers and organizations have a duty to be “proactive and vigilant” about protecting themselves against ransomware attacks and breaches and must “meet their health data breach notification obligations to protect the public.”
The AG’s bulletin comes as the healthcare industry—already suffering under the strain of the increase demands caused by COVID-19—has been subject to an continuing increase in ransomware attacks since 2020. In general, there has been an overall 102% increase in organizations in being affected by ransomware, with the healthcare industry globally sustaining an average of 109 attack attempts per organization each week. According to IBM, for the eleventh consecutive year, healthcare has had the highest industry cost for breach increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase.
In his bulletin, The AG reminded recipients that state and federal laws obligate healthcare entities and organizations to establish policies and security measures concerning protected health information. To emphasize the importance of compliance, the AG also reminded recipients that the California Attorney General has authority to bring civil actions on behalf of California resides under the Health Insurance Portability and Accountability Act (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). See U.S. C. § 1320d-5(d).
The AG’s bulletin also added that entities should put in place the following minimum preventative measures in place to protect from ransomware attacks:
- keep all operating systems and software housing health data current with the latest security patches;
- install and maintain virus protection software;
- provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
- restrict users from downloading, installing, and running unapproved software; and
- maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.
Organizations, providers, and professionals should take note of what the AG has stated as the minimum preventative measures because should an AG investigation occur, the listed measures will most likely be scrutinized when determining any penalties or claims against an organization or provider.
Organizations, providers, and privacy professionals must also be familiar with breach notice and reporting requirements under the Confidentiality of Medical Information Act (“CMIA”) and HIPAA (and as amended by HITECH). The HIPAA breach notification rules can be found in 45 CRF § 164.400-414, and U. S. C. § 17932, and apply to covered entities and business associates following a breach of unsecured protected health information. The California breach reporting requirements can be found in Civ. Code § 1798.82. Additionally, the same parties must be familiar with the requirements under the HIPAA Security and Privacy Rules (and the California corollaries, see Health & Safety Code §§ 1280.15 and 1280.18) in order to actively and effectively secure patients’ protected health information.
For information about recent breaches, a list of breach notices provided by entities to the AG’s Office can be found here; and breach notices provided to the United States Department of Health and Human Services, Office of Civil Rights, can be found here.