In the October 2014 California Data Breach Report, Attorney General Kamala D. Harris offers a number of recommendations to protect the 38 million consumers in California, the same state where 17 percent of 2012 data breaches in the United States occurred and with a 28 percent increase in 2013. Some key findings from the AG’s report include:
- In 2013 the AG’s Office received 167 data breach reports.
- The retail industry reported the most breaches in 2013 (26 percent). Health care made up for 15 percent of statewide breaches in 2013.
- More than half of the 2013 breaches (53 percent) were caused by computer intrusions (malware and hacking). The remaining breaches resulted from physical loss or theft of laptops or other devices containing unencrypted personal information (26 percent), unintentional errors (18 percent) and intentional misuse by insiders (4 percent).
- Between 2012 and 2013, lost or stolen hardware or portable media containing unencrypted data made up the majority of breaches in the health care sector (70 percent).
One key recommendation for California’s health care industry was the consistent use of strong encryption to protect medical information on laptops, other portable devices, and desktop computers. Of the total breaches in California’s health care industry, stolen hardware included 16 laptops and 8 desktops. Lost digital media included four USB drives and one disc.
According to the report:
“Breaches of this type are preventable. An affordable solution is widely available – full disk strong encryption, to the standard set by the National Institute of Standards and Technology. This is a lesson that must be learned by the health care industry and applied not only to laptops and portable media as we recommended in last year’s report, but also to computers in offices. The desktop computer in an office can be encrypted when shut down at night and decrypted in the morning. If someone should break in after hours and steal the computer, the data on it would not be accessible. Even small practices that lack full-time information security and IT staff can do this. They owe it to their patients to do it now.”
In addition to state laws protecting privacy, federal regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH), and subsequent amendments thereto (including 75 Federal Register 40868 (July 14, 2010 (proposed rule)) and 78 Federal Register 5566 (Jan. 25, 2013) (final rule)), set forth range of possible penalties when there is a compromise of protected health information.