arthead - stock.adobe.com
CA Attorney General Calls Out Unreported Healthcare Data Breaches
After multiple ransomware attacks went unreported, California’s attorney general issued a bulletin to providers reminding them to report healthcare data breaches.
In light of numerous unreported ransomware attacks, California Attorney General Rob Bonta sent a bulletin to providers and facilities reminding them of their duty to report healthcare data breaches and comply with state and federal data privacy laws.
Top stakeholder organizations received the bulletin, including the California Medical Association, the California Dental Association, and the California Hospital Association.
Healthcare entities must alert the California Department of Justice (DOJ) when a data breach impacts more than 500 Californians. As healthcare ransomware attacks increase across the country, it is increasingly important to ensure compliance with data privacy laws and prevent future attacks, Bonta’s bulletin emphasized.
“Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats,” Bonta stated in a press release.
“In addition, I implore all entities that house confidential health-related information to be vigilant and take steps now to protect patient data, before a potential cyberattack.”
The attorney general stressed the importance of data security considering the sensitive protected health information (PHI) and personally identifiable information (PII) that healthcare organizations have access to.
“Across the nation, cyberattacks on the healthcare sector has interrupted service delivery and patient care, and eroded patient trust,” the bulletin stated.
“Data breaches, particularly when they involve sensitive information such as Social Security numbers and health records, threaten the privacy, security, and economic wellbeing of consumers.”
When healthcare organizations provide timely notification of a data breach to the DOJ, it helps patients and providers mitigate losses. While most ransomware attackers are after money rather than medical records, exposed patient information can result in fraud and serious financial implications for those impacted.
The bulletin cited HIPAA along with the Confidentiality of Medical Information Act (CMIA) as pillars of healthcare data security. Both laws hold providers to a certain standard in terms of protecting patient data and confidentiality. Taking security measures to prevent ransomware attacks is naturally correlated with a provider’s duty to protect patient privacy.
The bulletin suggested that all healthcare facilities and providers take the following preventive actions to prepare for and prevent ransomware attacks:
- Keep all operating systems and software housing health data current with the latest security patches
- Install and maintain virus protection software
- Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails
- Restrict users from downloading, installing, and running unapproved software
- Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident
Bontas also urged healthcare entities to follow data security guidance from federal agencies like HHS, Office for Civil Rights (OCR), the Cybersecurity & Infrastructure Security Agency (CISA), the FBI, and the National Institute of Standards and Technology (NIST).
Despite their obligation to protect patient privacy, some major health systems have seemingly missed the mark. Scripps Health in San Diego was hit with multiple class-action lawsuits after a ransomware attack that led to significant disruptions in care and EHR downtime earlier this year.
The attack cost Scripps Health $113 million in lost revenue, along with the trust of many patients. One lawsuit alleged that Scripps Health was storing PII in a non-encrypted form, easily accessible to bad actors. Class members argued that the health system was careless in its cybersecurity measures and could have prevented the attack.
Without proper data security practices, health systems face risks to bottoms lines, reputations, and patient safety.