If you’re supposed to report a breach to the state of California, you’d darn well better report it in a timely fashion. HealthLeaders Media reports that Lucile Salter Packard Children’s Hospital at Stanford University has been fined $250,000 by the California Department of Public Health for failing to report a patient records breach <del>by April 23</del>. The computer theft had occurred in January and had been reported to HHS, the federal agency, on March 9.
Update: The hospital is appealing the fine. The state report’s timeline indicates that within 5 days of February 1, when the hospital confirmed protected health information was on the stolen computer, the hospital was required to notify both the state and the 532 affected patients. According to the state’s report, those notifications were not made until February 19. The incident occurred on Jan. 5. In a small number of cases, patients’ Social Security numbers were also on the stolen computer.