Five California hospitals were fined a total of $675,000 last week for failing to secure patient data, a development that signals a change in how state and federal governments are starting to hold companies and organizations accountable for their data security practices.
Last week, the California Department of Public Health (CDPH) invoked the penalties outlined in Section 1280.15 of the Golden State's Health and Safety Code. The legislation, which was passed in 2008, calls for an administrative penalty of $25,000 for the first breach of a patient's medical information and a penalty of up to $17,500 for each subsequent breach of other patients' data.
Community Hospital of San Bernardino, Calif., was assessed fines totaling $325,000 for failing to prevent the unauthorized access of 207 patients' medical records in two separate incidents.
For years, hospitals and medical centers have been hammered by one data breach incident after another. In most cases, the information is exposed by the loss of a laptop or a removable storage drive.
Regardless, this latest round of fines signals a new trend in how government agencies are ratcheting up the pressure on private-sector companies to not only notify people when their information is compromised, but to take proactive procedural and technological steps to prevent the breaches from occurring in the first place.
In April, Washington became the third state to pass a law that allows banks to recover costs and damages from retailers and credit card processors that suffer data breaches stemming from a failure to comply with the Payment Card Industry (PCI) standards.
Independent security research firms claim identity theft cost American consumers and companies more than $54 billion last year and directly impacted more than 11.1 million adults, up 12 percent from 2008.
But without a hammer for governments to truly penalize companies and make data security a fiscal imperative, a large swath of companies -- particularly small and mid-sized businesses selling goods and services online -- have failed to invest in the latest security software applications or train their employees to prevent data from slipping through the cracks.
In California, Senate Bill 541 (SB 541) and Assembly Bill 211 (AB 211), two punitive pieces of data-security legislation, were signed into law in 2008. Beyond the pricey fines, the statutes compel state watchdog organizations, such as the CDPH to stay on top of leaky hospitals long after the fines are accessed.
The five California hospitals tagged with the fines -- Community Hospital of San Bernardino, Enloe Medical Center in Chico, Rideout Memorial Hospital in Marysville, Ronald Reagan UCLA Medical Center in Los Angeles and San Joaquin Community Hospital in Bakersfield -- must also submit a plan of correction to CDPH within ten working days and implement "a plan of correction" that will thwart future data breach incidents.
"Medical privacy is a fundamental right and a critical component of quality medical care in California," CDPH Director Dr. Mark Horton said in a statement. "We are very concerned with violations of patient confidentiality and their potential harm to the residents of California."
All five hospitals can appeal the administrative penalty by requesting a hearing within ten calendar days of notification.