The California Department of Public Health, which previously has fined at least a dozen hospitals and one nursing home for privacy violations, has suffered its second major breach of protected health information since September 2010--and took 80 days to report this second breach. Its first breach took 79 days to report.

It was not immediately clear if either incident falls under the federal breach notification rule, but the first breach is not listed on the federal government's public Web site listing breaches of PHI affecting 500 or more individuals. The notification rule covers HIPAA covered entities--providers, clearinghouses and insurers--that conduct electronic HIPAA transactions.  Consequently, a health department would be required to report if a breach involved electronic billings for flu shots or other treatments. California also has its own breach notification law. A spokesperson for the department was not immediately available.

The breach affects about 9,000 current and former state health department employees. The department's information security systems on April 5 detected unusual activity, which turned out to be an employee who improperly copied information to a private hard drive, according to a June 24 statement from the department.  The employee has been unable "to account for the disposition of that data or the equipment onto which the data was copied," and is on administrative leave pending completion of the incident.

Information on the hard drive included names and address, and various combinations of Social Security numbers, ethnicity, dates of birth, individuals listed as next of kin and their addresses, and/or information from workers' compensation documents, according to the statement. But unauthorized access to the information may have begun around July 1, 2007, the department acknowledges.

The department is offering affected individuals a year of paid credit monitoring services from Experian.

In the September 2010 incident, the department lost a magnetic tape being delivered from one department facility to another and containing protected information on 2,550 individuals. The tape was discovered to be missing on Sept. 27, the department finished compiling a list of affected individuals on Nov. 23 and publicly reported the breach on Dec. 15.


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access