• Lessons from the California AG’s Data Breach Report for the Health Care Industry
  • July 15, 2013 | Author: Stephanie D. Willis
  • Law Firm: Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. - Washington Office
  • Our sister blog, Privacy and Security Matters, recently posted a comprehensive analysis of the newly released data breach report from the California Attorney General’s Office (AG Report).The AG Report is the first state-based, state-specific review of reported data breaches, and it analyzes the data by industry sector, the breach size, the breach’s root cause, and the type of data compromised. Of note, breaches involving the health care industry comprised 15% of the total reported breaches (19 out of 131) last year in California.

    Based on the review of the data from 2012 breaches, the AG Report recommended that companies focus on improving the following areas of privacy and security:

    • Encryption - The AG Report foreshadows that breach investigations from it and other state agencies will focus on those involving unencrypted personal information.
    • Security Training - The AG Report strongly recommends that companies continually review and update their security procedures, as well as provide regular training for employees and contractors to maintain compliance.
    • Readability of Consumer Breach Notifications - The AG Report emphasizes that companies should ensure that recipients actually understand the content of such notices; this goal should also apply to any terms of use and privacy policies provided to consumers.
    • Offering Credit Monitoring Assistance - This added remedial measure, when offered to consumers, may be costly and time-consuming, but it can limit subsequent compromising of protected information going forward.

    Although the AG Report targets all types of companies who receive sensitive individual information, the above recommendations are especially important for health care covered entities and business associates who need to comply with state laws and the final Privacy, Security, and Breach Notification Rules recently promulgated in the HIPAA Omnibus Rule.