Return of the Guru

Late Reporting of Breach Draws Penalty—Insurers, Take Note

Ara Trembly
Insurance Experts' Forum, September 13, 2010

In case you haven’t noticed, the recession is far from over, and in the case of some state governments, the situation has resulted in virtual bankruptcy. As a result, these governments will likely seek to boost income at the drop of a hat, or in this case, at the theft of a computer.

Several Internet news sources are reporting that Palo Alto, Calif.-based Lucile Packard Children's Hospital has appealed a $250,000 fine for tardily reporting a data breach to the California Department of Public Health (CDPH). According to the hospital, the incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained the personal information of about 532 patients.

“The computer in question was used by an employee whose job required access to patient information,” said a hospital news release. “Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.” The former employee has since been charged with theft, and the hospital says the computer was not recoverable.

That all sounds perfectly reasonable, except that it wasn’t enough to keep the hospital from a hefty fine for late reporting. Under California law, health care organizations must report a breach that could expose protected health information to appropriate government agencies and affected individuals within five days of its discovery. The penalty for failing to meet the deadline is $100 per day per breached record up to a maximum of $250,000.

A CDPH spokesman said that affected patients at Lucile Packard Hospital were not informed of the breach for 19 days after it was discovered. Thus, the hospital was assessed the maximum penalty.

The hospital defended its belated alert to the department on the grounds that it was investigating with police what had happened to the computer, said one Internet source.

After determining that it could not retrieve the device, the hospital then informed the department, it said.

Now here’s where things get a little tricky. Why should an investigation preclude informing the state government and the affected parties? Well, maybe the police asked the hospital to keep things under wraps until they could investigate. That seems possible, but no one has offered that up as the reason for the hospital’s tardy response. Until and unless that is said and confirmed, it looks much more like the hospital was trying to keep everything quiet while it desperately searched for the purloined computer.

This is not a condemnation of the hospital. Many of our organizations might have reacted the same way—hoping against hope to stop a problem before it grew to unmanageable proportions. On the other hand, if yours was one of the records stolen along with the computer, you’re probably not inclined to withhold your opprobrium. The hospital claims there has been no damage to the affected parties thus far, but with the device still out there, one never knows.

This should serve as a dire warning to all of us in the insurance community whose enterprises hold confidential information on insureds—and that is just about every insurer and agent. Individuals and governments will not hold back if records are compromised and we are even slightly tardy in reporting as required.

In the end—statute or no statute—it’s the right thing to do. And it could save you a big fine and an even bigger embarrassment.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

What Can Insurers Learn from Home Depot?

The latest cyber-attack highlights the importance of helping policy holders defend themselves.

Not Your Father’s Insurance Company

Carriers need to look at new and impactful ways to be there for their customers.

Watch Out. Apple with Mayo is Heading Your Way

From a health care, health insurance and Internet-of-things perspective, questions still remain.

How to Attract Top Tech Talent

When it comes to rankings of the best places to work, insurers are few and far between. Here’s what those who make the lists do to appeal to IT professionals.

New Generation of Data and Analytics in Cloud

Cloud-based data and analytics products are becoming more common among technology companies, small and midsize businesses and departments.

Aligning People, Processes and Technology for Successful Data Governance

Before your data governance project turns into a nightmare, create a data governance team to help people understand and manage the big data challenge, not just their respective pieces.