In October 2014, Kamala D. Harris, Attorney General, California Department of Justice, released the California Data Breach Report. The report noted that, in the health care sector, breaches affected more records than in other industry sectors, with the exception of retail since the two huge breaches of 2013 (Target and Living Social). Many of the health care breaches reported to us are of a type that could be prevented by the strategic use of encryption. Unlike other industry sectors, where computer intrusions caused the majority of breaches, 70 percent of breaches reported in health care in the past two years were the result of stolen or lost hardware or digital media containing unencrypted personal information. This finding is consistent with the national enforcement actions in which the Department of Health and Human Services (“DHHS”) has imposed civil money penalties or obtained settlements in lieu thereof. Most of such enforcement actions resulted from the loss or theft of an unencrypted device, such as a laptop, or portable media.Of health care’s 31 physical breaches, 24 resulted from stolen hardware, 5 from lost media, and 2 from stolen documents. The stolen hardware consisted of 16 laptops and 8 desktops. Two-thirds of the hardware items (8 desktops and 8 laptops) were stolen from an office or a workplace, with the remaining 8 laptops stolen from an employee’s car or home. The lost digital media were 4 USB drives and 1 disc. The documents were records stolen from a storeroom in one instance and from an employee’s car in the other.

The Ponemon Institute, in its Fourth Annual Benchmark Study on Patient Privacy and Data Security (March 2014), pp. 2-3, noted that criminal attacks targeting the health care system are growing and that employees’ use of unsecured portable devices is also increasing the risk of breach. The Attorney General opined that the health care industry needs to use encryption and recommended that it be applied not only to laptops and portable media, but also to many computers in offices.

Governor Brown also signed Assembly Bill 1755, Chapter 412, Statutes of 2014, effective January 1, 2015, which amends § 1280.15 of the California Health and Safety Code to change the requirement for a clinic, health facility, home health agency, or hospice to report an unlawful or unauthorized access to, and use or disclosure of, patient’s medical information, to the State Department of Public Health and to the affected patient or the patient’s representative from no later than 5 business days to no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected, which is much shorter than the time allowed under the HIPAA breach notification rule. This bill authorizes that the report made to the patient or the patient’s representative may be by alternative means, including email, as specified. Existing law states that the report be made “to the patient’s last known address.” The bill changes the timeframe required for a delayed report for law enforcement purposes to be made from 5 business days to 15 business days if the law enforcement agency provides a written or oral statement that compliance with the reporting requirements would likely impede the law enforcement’s investigation. The bill also gives the Department of Public Health full discretion to consider all factors when determining whether to investigate under these provisions. See California Health Information Management Association, “Legislation Bills Signed Into Law.”