Return of the Guru

Late Reporting of Breach Draws Penalty—Insurers, Take Note

Ara Trembly
Insurance Experts' Forum, September 13, 2010

In case you haven’t noticed, the recession is far from over, and in the case of some state governments, the situation has resulted in virtual bankruptcy. As a result, these governments will likely seek to boost income at the drop of a hat, or in this case, at the theft of a computer.

Several Internet news sources are reporting that Palo Alto, Calif.-based Lucile Packard Children's Hospital has appealed a $250,000 fine for tardily reporting a data breach to the California Department of Public Health (CDPH). According to the hospital, the incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained the personal information of about 532 patients.

“The computer in question was used by an employee whose job required access to patient information,” said a hospital news release. “Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.” The former employee has since been charged with theft, and the hospital says the computer was not recoverable.

That all sounds perfectly reasonable, except that it wasn’t enough to keep the hospital from a hefty fine for late reporting. Under California law, health care organizations must report a breach that could expose protected health information to appropriate government agencies and affected individuals within five days of its discovery. The penalty for failing to meet the deadline is $100 per day per breached record up to a maximum of $250,000.

A CDPH spokesman said that affected patients at Lucile Packard Hospital were not informed of the breach for 19 days after it was discovered. Thus, the hospital was assessed the maximum penalty.

The hospital defended its belated alert to the department on the grounds that it was investigating with police what had happened to the computer, said one Internet source.

After determining that it could not retrieve the device, the hospital then informed the department, it said.

Now here’s where things get a little tricky. Why should an investigation preclude informing the state government and the affected parties? Well, maybe the police asked the hospital to keep things under wraps until they could investigate. That seems possible, but no one has offered that up as the reason for the hospital’s tardy response. Until and unless that is said and confirmed, it looks much more like the hospital was trying to keep everything quiet while it desperately searched for the purloined computer.

This is not a condemnation of the hospital. Many of our organizations might have reacted the same way—hoping against hope to stop a problem before it grew to unmanageable proportions. On the other hand, if yours was one of the records stolen along with the computer, you’re probably not inclined to withhold your opprobrium. The hospital claims there has been no damage to the affected parties thus far, but with the device still out there, one never knows.

This should serve as a dire warning to all of us in the insurance community whose enterprises hold confidential information on insureds—and that is just about every insurer and agent. Individuals and governments will not hold back if records are compromised and we are even slightly tardy in reporting as required.

In the end—statute or no statute—it’s the right thing to do. And it could save you a big fine and an even bigger embarrassment.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

It’s Okay to Take a Breather from the Technology Maelstrom

Even in technology, good things may take time.

Customers for Life

Insurers once had a monopoly on lifetime customers, but technology has changed the game.

Smarter Tablet Use Could Transform Insurance

By reducing administrative tasks and automating paperwork, tablets can increase agentsí selling time and help them respond to customers in seconds, not hours.

Insurance Wake-Up Call: Embrace the Shared Economy Opportunities

SMA believes that insurers must embrace a "shared economy," crowdsourcing and open innovation to get ahead in the new marketplace.

The Lion and the Mouse: Start-ups Pitch to Top Insurer

Insurers should be on the lookout for innovative partnership arrangements that produce unique and valuable solutions.

Silicon Valley Ventures

A trip to area hotbed of technological innovation calls into question the potential viability of insurers' legacy systems, operations and processes.