As we mentioned previously, California has the strictest data breach notification statute in the country, allowing entities only five days to report a breach, but not permitting even the customary delays for law enforcement efforts. California Department of Public Health (CDPH) is charged with enforcement of this statute, contained in Section 1280.15 of the California Code, and may impose the maximum of $250,000 fine for each breach incident.
CDPH imposed the maximum $250,000 fine on Lucile Salter Packard Children's Hospital (LSPCH) at Stanford University for failing to report within five days a breach involving 532 patients. The breach resulted from an employee of LSPCH stealing a laptop containing PHI for these 532 patients.
The somewhat shocking part is that CDPH levied the maximum fine on this hospital, even though the hospital reported this breach after an investigation less than two weeks later. LSPCH discovered the breach on February 1, 2010, but did not report the breach until February 19, 2010. In fact, CDPH learned of the breach from the hospital's notice. While a clear violation of the five-day rule (however just or draconian the rule may be), it does not seem to be an egregious violation which would merit the maximum fine. LSPCH believes that its notification to the state and to the affected individuals was reasonable and timely and is appealing the fine.
Packard Children's believes it did what it is supposed to:
The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.
Theft charges have been filed against the former employee.
Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer. “We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.”
"This theft was very unfortunate," said Susan Flanagan, RN, chief operating officer. "We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children's privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.”
This response seems proper and reasonable. What more could a hospital do? In California, report the breach within the required five days. But even if the hospital missed the deadline, imposing the maximum fine for the reasonable response outlined above seems too harsh.
Finally, it is worth pointing out that California is clearly determined to enforce these laws. According to Health Leaders Media, CDPH levied over $1.8 million in fines against 143 hospitals under the breach notification statute and the similar requirement for reporting wrong-site surgery or foreign objects left inside a patient.
"Hospital Fined $250,000 For Not Reporting Data Breach," Health Leaders Media (September 10, 2010).