Return of the Guru

Late Reporting of Breach Draws Penalty—Insurers, Take Note

Ara Trembly
Insurance Experts' Forum, September 13, 2010

In case you haven’t noticed, the recession is far from over, and in the case of some state governments, the situation has resulted in virtual bankruptcy. As a result, these governments will likely seek to boost income at the drop of a hat, or in this case, at the theft of a computer.

Several Internet news sources are reporting that Palo Alto, Calif.-based Lucile Packard Children's Hospital has appealed a $250,000 fine for tardily reporting a data breach to the California Department of Public Health (CDPH). According to the hospital, the incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained the personal information of about 532 patients.

“The computer in question was used by an employee whose job required access to patient information,” said a hospital news release. “Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.” The former employee has since been charged with theft, and the hospital says the computer was not recoverable.

That all sounds perfectly reasonable, except that it wasn’t enough to keep the hospital from a hefty fine for late reporting. Under California law, health care organizations must report a breach that could expose protected health information to appropriate government agencies and affected individuals within five days of its discovery. The penalty for failing to meet the deadline is $100 per day per breached record up to a maximum of $250,000.

A CDPH spokesman said that affected patients at Lucile Packard Hospital were not informed of the breach for 19 days after it was discovered. Thus, the hospital was assessed the maximum penalty.

The hospital defended its belated alert to the department on the grounds that it was investigating with police what had happened to the computer, said one Internet source.

After determining that it could not retrieve the device, the hospital then informed the department, it said.

Now here’s where things get a little tricky. Why should an investigation preclude informing the state government and the affected parties? Well, maybe the police asked the hospital to keep things under wraps until they could investigate. That seems possible, but no one has offered that up as the reason for the hospital’s tardy response. Until and unless that is said and confirmed, it looks much more like the hospital was trying to keep everything quiet while it desperately searched for the purloined computer.

This is not a condemnation of the hospital. Many of our organizations might have reacted the same way—hoping against hope to stop a problem before it grew to unmanageable proportions. On the other hand, if yours was one of the records stolen along with the computer, you’re probably not inclined to withhold your opprobrium. The hospital claims there has been no damage to the affected parties thus far, but with the device still out there, one never knows.

This should serve as a dire warning to all of us in the insurance community whose enterprises hold confidential information on insureds—and that is just about every insurer and agent. Individuals and governments will not hold back if records are compromised and we are even slightly tardy in reporting as required.

In the end—statute or no statute—it’s the right thing to do. And it could save you a big fine and an even bigger embarrassment.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

For Halloween: The Tricks to Get Innovation Treats

There are specific actions that can help prepare a corporate environment for magic.

Is the Long March to IFRS Convergence Over?

Once a given, the adoption of a single set of accounting standards for the insurance industry is on hold.

So You Plan to Buy a Core System … Now What?

There are many questions for carriers to consider even before the implementation process begins.

What It Takes to Have a Tech-Savvy Workplace

The tools and technologies to build the next workplace are available, but not common yet in corporate settings.

Avoiding the Bermuda Triangle of Data

Handled poorly, questions around data ownership, data quality and data security can sidetrack big data conversations and alienate business stakeholders.

A Prototype of the Successful Innovation Leader

Celent research reveals the prototype for the successful senior innovation leader.