Fines for Delay in Data Breach Notification

It is always painful for organizations to deal with a data breach incident. They run the risk of disenfranchising their customers and damaging their organization's reputation. But today, in California, it can also be extremely costly, especially if they have any tendancy towards proscrastination.

The prestigious Lucile Packard Children's Hospital at Stanford University was recently fined the maximum-allowed $250,000 by the California Department of Public Health for their 18 day delay in notifying 532 patients of a data breach incident. Under California law, there is an allowable fine of $100 per day per individual affected for delays in notification of longer than five days after the date of confirmation that a data breach has occurred. California seems to be wasting no time using this fine schedule as a tool to assist in bridging their budget gap.

As reported in HealthLeaders Media, the incident involved the computer of a former employee that is unrecoverable that had on it patient information including "names, date of birth, medical record numbers, diagnoses, procedures, insurance information and/or social security numbers. Lucile Packard officials on Thursday posted a lengthy statement on the hospital's website saying it intends to appeal the $250,000 fine. The state's medical record confidentiality laws were enacted in 2008 after hospital medical records of celebrities such as the late Farrah Fawcett and Britney Spears were inappropriately accessed and distributed. A two-bill combination requires health facilities to adopt appropriate administrative, physical and technical safeguards to prevent unauthorized access or unlawful access, use, or disclosure."

This situation at the Luclie Packard Children's Hospital illustrates the importance of acting with urgency once a data breach has been confirmed, but also of planning ahead for data breach notification. An investigation may take a protracted period of time in order to determine if personal information has been exposed, and the notification clock doesn't start until this determination has been made. At that point, however, given the short five day window it is essential for an organization to have already prepared its notification plans so that individuals notification timing will not exceed the maximum five days in California.