Late Reporting of Breach Draws PenaltyInsurers, Take Note
Insurance Experts' Forum, September 13, 2010
In case you haven’t noticed, the recession is far from over, and in the case of some state governments, the situation has resulted in virtual bankruptcy. As a result, these governments will likely seek to boost income at the drop of a hat, or in this case, at the theft of a computer.
Several Internet news sources are reporting that Palo Alto, Calif.-based Lucile Packard Children's Hospital has appealed a $250,000 fine for tardily reporting a data breach to the California Department of Public Health (CDPH). According to the hospital, the incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained the personal information of about 532 patients.
“The computer in question was used by an employee whose job required access to patient information,” said a hospital news release. “Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.” The former employee has since been charged with theft, and the hospital says the computer was not recoverable.
That all sounds perfectly reasonable, except that it wasn’t enough to keep the hospital from a hefty fine for late reporting. Under California law, health care organizations must report a breach that could expose protected health information to appropriate government agencies and affected individuals within five days of its discovery. The penalty for failing to meet the deadline is $100 per day per breached record up to a maximum of $250,000.
A CDPH spokesman said that affected patients at Lucile Packard Hospital were not informed of the breach for 19 days after it was discovered. Thus, the hospital was assessed the maximum penalty.
The hospital defended its belated alert to the department on the grounds that it was investigating with police what had happened to the computer, said one Internet source.
After determining that it could not retrieve the device, the hospital then informed the department, it said.
Now here’s where things get a little tricky. Why should an investigation preclude informing the state government and the affected parties? Well, maybe the police asked the hospital to keep things under wraps until they could investigate. That seems possible, but no one has offered that up as the reason for the hospital’s tardy response. Until and unless that is said and confirmed, it looks much more like the hospital was trying to keep everything quiet while it desperately searched for the purloined computer.
This is not a condemnation of the hospital. Many of our organizations might have reacted the same way—hoping against hope to stop a problem before it grew to unmanageable proportions. On the other hand, if yours was one of the records stolen along with the computer, you’re probably not inclined to withhold your opprobrium. The hospital claims there has been no damage to the affected parties thus far, but with the device still out there, one never knows.
This should serve as a dire warning to all of us in the insurance community whose enterprises hold confidential information on insureds—and that is just about every insurer and agent. Individuals and governments will not hold back if records are compromised and we are even slightly tardy in reporting as required.
In the end—statute or no statute—it’s the right thing to do. And it could save you a big fine and an even bigger embarrassment.
Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.
Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.