California Attorney General Issues Bulletin on Health Data Breach Reporting Requirements
The California Attorney General ("AG") has issued guidance reminding health care providers of their duty to report health care data breaches and to comply with other state and federal data privacy laws.
On August 24, 2021, the California AG issued a bulletin reminding health care providers of their duty to notify the AG in the event of a "data breach" affecting 500 or more California residents. According to the accompanying press release, the bulletin "comes on the heels of multiple unreported ransomware attacks against California health care facilities."
Under California Civil Code § 1798.82, an entity—including a health care provider—that conducts business in California and owns or licenses computerized data must notify the California AG if personal information of 500 or more California residents has been, or is reasonably believed to have been, acquired by an unauthorized party. The entity must provide a "sample copy" of the breach notification to be given to California residents along with additional information, including (i) type(s) of personal information involved; (ii) number of individuals affected; (iii) type of breach; and (iv) a brief description of the breach.
The bulletin also notes the obligation of health care entities to "establish appropriate procedures to ensure the confidentiality of health-related information, including security measures that can help prevent the introduction of malware[.]" To that end, the bulletin suggests the following preventive measures to protect against ransomware:
- Keep systems and software housing health data current with the latest security patches;
- Install and maintain virus protection software;
- Provide regular data security training, including education on web browsing and guarding against phishing;
- Restrict users from downloading, installing, and running unapproved software; and
- Maintain and regularly test data backup and recovery plan for critical information to limit the impact of data/system loss in the event of a data security incident.
Notably, this bulletin comes after the California Department of Public Health's July 2021 issuance of regulations that include a 15-day notification requirement for a health care facility in the event of a "medical information breach" by the facility or its business associate. Together, these issuances signify a potentially problematic health privacy enforcement trend and this bulletin indicates the California AG has an interest in policing notification obligations, particularly as they relate to health care providers. A number of other states have similar laws requiring entities to notify the state AG of certain cybersecurity incidents affecting protected health information. In light of the increasing prevalence of ransomware attacks, especially those involving data theft, entities operating in California and these other states should familiarize themselves with these regulatory requirements and assess their preparedness to meet them.