California Reminds Healthcare Orgs of Data Breach Reporting Obligations
Hospitals and healthcare providers in the state have been failing to report ransomware attacks that impact health data belonging to patients.
Healthcare facilities in California have had a lot on their plate.
Along with the emotional rollercoaster that the pandemic has been, healthcare organizations continue to remain an appealing target for attackers looking to spread ransomware; some victim organizations have even had to resort to pen and paper to get day to day work done.
That’s all in addition to complying with the California Consumer Privacy Act, the state’s latest privacy law. The law went into effect on January 1, 2020, but enforcement began on July 1, just months after the COVID-19 pandemic began ravaging the country.
Lost in the shuffle at healthcare providers it seems has been efforts to satisfy the CCPA reporting requirements under the state's privacy laws.
California's Attorney General Rob Bonta reiterated this week that the state must be notiied when a facility experiences an attack that results in the compromise of 500 or more California residents. Bonta stressed that there's been several instances lately in which the state's Department of Justice hasn't been notified of attacks - primarily ransomware attacks - in which it seems personal and protected health information was compromised.
Bonta didn't single out a particular hospital or healthcare facility but there's been no shortage of incidents of late. The largest took down Scripps Health, a San Diego nonprofit healthcare provider, and its hospital system for weeks on end. Hospitals had to divert ambulances, switch to offline chart systems, and reschedule appointments.
Just last week, in its quarterly financial and operating filings, the provider said it planned to lose roughly $106.8 million as a result of the ransomware attack. The May attack left Scripps Health and its electronic medical records system offline for almost four weeks.
While California isn't the only state where this is happening, it is leading the charge.
A Health Sector Cybersecurity Coordination Center (HC3) report earlier this summer found that out of any sector, the California healthcare industry has experienced the most ransomware incidents so far this year, 12% of all U.S. incidents.
That's partially why Bonta reminded organizations of their data breach reporting responsibilities in a bulletin on Tuesday.
“Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats,” said Attorney General Bonta. “California law mandates that data breaches impacting more than 500 of our residents be reported to the California Department of Justice. In addition, I implore all entities that house confidential health-related information to be vigilant and take steps now to protect patient data, before a potential cyberattack.”
Bonta reiterated that businesses are required to report under California law (Civil Code section 1798.82) and that after reporting to the Office of the Attorney General, the breach surfaces on the AG's Department of Justice website.
Scripps appears on the list; it’s one of almost 150 breaches affecting more than 500 California residents reported to the California AG this year.
Bonta also encouraged organizations if they haven't already to employ the following steps to protect patient data:
- Keep all operating systems and software housing health data current with the latest security patches;
- Install and maintain virus protection software;
- Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
- Restrict users from downloading, installing, and running unapproved software; and
- Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.