Comments to California Dept. of Public Health: Medical Information Breach Regulations
December 13, 2010
California Department of Public Health
PO Box 997377; MS 3201
Sacramento, CA 95899-7337
Submitted via email: RNUnit-at-cdph.ca.gov
Dear Mr. Hoffmark:
The Privacy Rights Clearinghouse appreciates the opportunity to submit pre-meeting comments regarding the California Department of Public Health’s (CDPH) upcoming regulations regarding breaches of consumers’ personal health data. We direct our comments as follows:
Consumers enter a hospital or another care facility for a variety of reasons. Whether admission to a hospital stems from an accident, needed surgery, or complications of a terminal illness, all patients have at least two things in common. First, they are sick or injured, sometimes critically so, and require a level of care beyond what outpatient services can provide. Second, admission to a care facility entails the accumulation of vast amounts of personal, medical, and financial information.
Consumers who are admitted to a California care facility should not have the added worry that their health and financial data might end up on a social networking website, in the tabloids, in a dumpster, or in the hands of an identity thief.
Federal standards for privacy of health information are set out in rules adopted under the Health Insurance Portability and Accountability Act (HIPAA), which became effective in April 2003. HIPAA security rules, which require safeguards for private health information, became effective in April 2005. Both privacy and security standards were bolstered by California laws and regulations. Thus, there should be absolutely no doubt on the part of any healthcare facility or healthcare worker in California that there is both a duty and a legal obligation to protect the privacy and security of Californians’ personal health data.
Yet, despite the legal requirements and the years that have passed since these requirements have been in place, instances of the breach of healthcare data in California continue at an alarming pace. Whether the breach is intentional or inadvertent, the potential harm to the patient is all the same. In considering new regulations to address breaches, we urge the CDPH to give great weight to the reputational, financial, and emotional harm consumers experience because of carelessness, inattention, curiosity, or greed.
CDPH, on its website, lists instances of health-related data breaches for which facilities have been fined, usually for incidents that occurred in prior years. The PRC also tracks instances of data breaches that generate media coverage.
Following are some other examples of recent data breaches by California healthcare facilities:
November 14, 2010
Northridge Hospital Medical Center
A package sent through a national courier was damaged during transit. Because of this damage, patient names, Social Security numbers, addresses, phone numbers, dates of birth, dates of death, physician, financial account number, insurance ID, Medicare and Medicaid charges billed and paid, hospital room and board charges and guarantor Social Security number may have been exposed. People who were patients between September of 2004 and June of 2006 were affected.
October 16, 2010
University of California Davis (UCD) Medical Center
West Sacramento, California
UCD patient documents were stolen from an UltraEx courier service in West Sacramento in August. The information consisted of copies of checks and remittance records between the University and insurance companies. Six patients had their full Social Security numbers exposed and 40 patients had some part of their Social Security number exposed. The University now prohibits the courier service from storing documents overnight.
October 13, 2010
San Diego Regional Center
San Diego, California
A back-up tape created for the purpose of disaster recovery testing and training was lost during shipping to the California Department of Developmental Services by UPS. Consumers' first and last names, Social Security numbers, contact, diagnostic and medical information may have been exposed. Extracting information from the tape requires sophisticated technology, according to the breach notice letter.
Source: Security Breach Letter
October 11, 2010
Alliance HealthCare Services, Inc.
Newport Beach, California
Patients from Oroville hospital in Oroville, CA, and Eden Medical Center in Castro Valley, CA, were affected. One or more portable devices were lost or stolen between July 31 and August 5.
Source: HHS via PHIPrivacy.net
October 11, 2010
Private Medical Practice
A desktop computer was stolen on or around August 17.
Source: HHS via PHIPrivacy.net
September 27, 2010
Kern Medical Center
An employee opened an email that subsequently affected the entire hospital system in late July. The Kern Medical Center temporarily removed itself from the county computer network to prevent the spread of the attack. Patient records were eventually secured, but it is unknown if any were affected by the 16-day malware attack.
September 9, 2010
Lucile Packard Children's Hospital at Stanford University
Palo Alto, California
A former employee took a hospital desktop computer with patient records home around January 11, 2010. In February it was determined that the computer could not be recovered and patients were notified of the incident. The hospital was fined $250,000 by the California Department of Public Health for the delay in reporting the incident. As of September 9, 2010, the hospital was in the process of appealing the fine.
UPDATE (9/10/10): The desktop did contain patient Social Security numbers, medical record numbers, names, insurance information, diagnoses and treatment information.
June 28, 2010
Children's Hospital of Orange County
The Hospital is checking its database for accuracy after discovering that patient files have been faxed to the wrong location at least twice. Patient records were faxed to an auto shop in 2009, and the wrong doctor on a separate occasion.
June 8, 2010
Tri-City Medical Center
Employees shared patient information on Facebook. Differing reports leave it unclear if these employees were nurses, and whether or not they were fired.
[Note: Five nurses were subsequently fired.] 
In yet another incident, in September 2010, medical records including the name, address, telephone number, and medical record number were sold to a recycling center in Los Angeles County. The records, reported missing from a care facility in July 2010, brought the thief $40.
Perhaps, the most egregious breach of medical privacy, reported in 2008, involved 120 UCLA Medical Center employees snooping into the private medical files of celebrities. Apparently the CDPH’s investigation along with extensive negative press of the 2008 incidents at UCLA did little to change the atmosphere of prying employees. Similar reports of unauthorized access surfaced after Michael Jackson’s death in 2009.
It is clear from the incidents reported by the CDPH, media reports, and the PRC’s chronology of data breaches that most such incidents were preventable. Employee snooping and lost or stolen portable electronic devices account for a significant number of breaches.
All too many incidents involved facility employees gaining unauthorized access to patient records. Being an employee of a healthcare facility necessarily involves a high degree of trust. Facilities and the CDPH should not tolerate a health records system that allows patients’ private medical records to be accessed for employees’ curiosity, entertainment, or financial gain.
Patient records include very private details of the person’s past and present health history along with very sensitive financial information, which can include the patient’s Social Security number, credit card and bank account numbers, and health insurance data. Most information included in medical files is not something the patient would even share with close family members.
Motives for gaining unauthorized access no doubt vary from incident to incident. Some few incidents may be entirely accidental when the employee accesses the wrong file by mistake. But, a number of incidents reported are confirmed as intentional intrusions into a patient’s private files. Curiosity and wanting to get “inside” information about a neighbor, ex-spouse, or celebrity is likely to be the motive for unauthorized access in some cases, a situation some might naively view as quite innocent. A most troubling aspect is that the private information gained through the unauthorized access is not likely to end with the employee. Juicy tidbits and up-to-the-minute reports are just too tempting not to be shared with others.
As medical records are increasingly stored in electronic format, technology exists that would limit access to those who have direct responsibility for the patient’s care.
Patient data exposed through breaches that result from lost or stolen portable electronic devices are also largely preventable. The same is true for health information shipped through the mail or courier services. To address these common breaches, CDPH should require all facilities under the agency’s watch to adopt procedures that monitor and restrict the off-site use of portable electronic devices. CDPH should require that patient data stored in portable devices or shipped to another location be encrypted.
In August 2009, the U.S. Department of Health and Human Services adopted interim final rules regarding circumstances under which consumers must be notified of a medical data breach. The rules were mandated by Section 13402 of the Health Information Technology for Clinical Health (HITECH) Act.
In adopting the rules, HHS, unfortunately, adopted a “harm” standard, meaning that patients would only be given notice of a data breach if the HIPAA “covered entity” determined the breach “poses a significant risk of financial, reputational, or other harm to the individual.” PRC filed comments strongly opposing the HHS “harm” standard. To date, HHS has not adopted final rules regarding breach notification.
As CDPH is well aware, HIPAA creates a “floor” for privacy and security of health information. Thus, CDPH is not limited in protecting California consumers’ health data by federal regulations. Any instance of a security breach should require notice to the patients involved, who can then decide what, if any, harm may result to him or her. CDPH should not be swayed by the inevitable arguments that notice in all instances leads to “overnotification.”
From the many reported instances of health data breaches in California, it is clear that the CDPH rules to be developed should require facilities to adopt both strong preventive measures and effective programs for responding to a security breach. CDPH rules should apply to security for data stored and maintained in electronic, paper or other format.
An effective preventive program should include at least the following:
- Written data security plans.
- Staff specifically assigned to data security and privacy.
- Limited access on a need-to-know basis.
- Security guidelines for laptops and other portable devices used off site.
- Staff training.
- Periodic security testing and audits.
- Encryption for data stored on portable devices and information transmitted over the Internet. In addition, personal health information on the healthcare institution’s computer system should be encrypted. 
An effective response program should include at least the following:
- Notice to consumers of any breach incident, as currently required by law, with the addition of details of the breach as proposed in Sen. Joe Simitian’s SB 1166 from the 2010 legislative session (did not gain passage).
- Notice to the CDPH of a breach incident. Also, public reporting of reported breaches on CDPH website.
- Short timeframe for reporting data breach to CDPH and consumers.
- Staff dedicated to answering questions for consumers affected by the breach.
- Assessment of how the breach occurred and preventive programs modified to present further incidents.
- Periodic reports to CDPH on how preventive programs were modified after a breach.
The PRC appreciates the opportunity to provide these comments prior to CDPH’s meeting on December 14, 2010, to consider upcoming breach regulations.
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
 The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and email. It represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org
 A similar incident was reported in August 2010 when firefighters at a hospital in Long Beach, CA, posted pictures of a dying patient on Facebook. See: Long Beach firefighters photographed dying man, August 13, 2010, by Molly Hennessy-Fiske, http://latimesblogs.latimes.com/lanow/2010/08/firefighters-facebook-dying-man-photos.html
 A later news story reported that five nurses were subsequently fired. http://www.sandiego6.com/mostpopular/story/Oceanside-Nurses-Fired-for-Facebook-Postings/2grZXIQTR0my9tYMH73ZqQ.cspx
 See: Medical Records Allegedly Sold For Scrap Did Not Include Social Security Numbers, Rong-Gong Lin II and Molly Hennessy-Fiske, LA Times, September 17, 2010, http://latimesblogs.latimes.com/lanow/2010/09/medical-records-allegedly-sold-for-scrap-did-not-include-social-security-numbers-authorities-say.html
 See e.g. Celebrity Medical Records in Massive UCLA Breach, Huffington Post, August 5, 2008. http://www.huffingtonpost.com/2008/08/05/celebrity-medical-records_n_116968.html
 See e.g. Michael Jackson's medical records at UCLA were improperly accessed, source says, June 10, 2010, http://latimesblogs.latimes.com/lanow/2010/06/michael-jacksons-medical-records-at-ucla-were-improperly-accessed-source-says.html|
 74 Federal Register 42740 (August 24, 2009), http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
 To read PRC’s comments go to: www.privacyrights.org/hhs-comments-breach-notification-unsecured-protected-health-information
 See the PRC's guide, Checklist of Responsible Information-Handling Practices, http://www.privacyrights.org/fs/fs12-infohandling.htm. See also a list of security-related publications on the PRC website -- resources with information on how to avoid data breaches: http://www.privacyrights.org/data-breach#8
 SB 1166 was vetoed by Governor Schwarzenegger. http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_1151-1200/sb_1166_bill_20100823_enrolled.pdf and http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_1151-1200/sb_1166_bill_20101006_status.html