Calif. Department: We Didn’t Delay on Breach Notifications
The California Department of Public Health, which recently took 80 days to report its second major breach of protected information in less than a year–and 79 days to report the first breach–was in compliance with state law and did not unreasonably delay reporting, the department says in e-mailed answers to questions from Health Data Management.
The California Department of Public Health, which recently took 80 days to report its second major breach of protected information in less than a year--and 79 days to report the first breach--was in compliance with state law and did not unreasonably delay reporting, the department says in e-mailed answers to questions from Health Data Management.
The breaches did not fall under the federal health care breach notification rule, but reporting was required under state law. While the federal rule mandates notification within 60 days of discovery of a breach, California's law--which is across industries--has no specific time limit.
"The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system," the law states.
Asked why it took so long to notify affected individuals following the breaches, the department answered: "With respect to both the September 2010 and the April 2011 breaches, the department believes no inordinate amount of time elapsed between the discovery of the breaches and the ultimate notification of affected individuals. In both breaches, the department acted without unreasonable delay, consistent with all the measures that were necessary to determine the scope of these two large and complicated breaches."
The September 2010 loss of a magnetic tape affected about 2,550 individuals. The April 2011 discovery of an employee improperly copying information over a period of up to four years to a private hard drive that was never found affected about 9,000. Both incidents required time-consuming forensic analysis of hardware and storage media, according to the department.
The 2010 breach required 15 different types of letters of notification to identify the precise personal information from a particular individual that was lost. Law enforcement became involved in the 2011 breach, adding additional time, and the breach touched information from two state departments which meant additional investigative, communication and approval steps, according to the department of health.
The breaches did not fall under the federal health care breach notification rule, but reporting was required under state law. While the federal rule mandates notification within 60 days of discovery of a breach, California's law--which is across industries--has no specific time limit.
"The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system," the law states.
Asked why it took so long to notify affected individuals following the breaches, the department answered: "With respect to both the September 2010 and the April 2011 breaches, the department believes no inordinate amount of time elapsed between the discovery of the breaches and the ultimate notification of affected individuals. In both breaches, the department acted without unreasonable delay, consistent with all the measures that were necessary to determine the scope of these two large and complicated breaches."
The September 2010 loss of a magnetic tape affected about 2,550 individuals. The April 2011 discovery of an employee improperly copying information over a period of up to four years to a private hard drive that was never found affected about 9,000. Both incidents required time-consuming forensic analysis of hardware and storage media, according to the department.
The 2010 breach required 15 different types of letters of notification to identify the precise personal information from a particular individual that was lost. Law enforcement became involved in the 2011 breach, adding additional time, and the breach touched information from two state departments which meant additional investigative, communication and approval steps, according to the department of health.
More for you
Loading data for hdm_tax_topic #reducing-cost...