DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Did the punishment fit the "crime?" (the Lucile Salter Packard Hospital breach fines)

Posted on September 29, 2010 by Dissent

Jason C. Gavejian writes about a hospital breach that is causing waves because of the exorbitant fine the state imposed.

Lucile Salter Packard Children’s Hospital at StanfordUniversity was fined $250,000 earlier this year by the California Department of Public Health (“CDPH”) for an alleged delay in reporting a breach under California’s health information privacy law. What makes this fine particularly disconcerting for health care providers is the relatively small number of patient records which were subject to the breach when compared to the considerable fine imposed.  For employers generally, this fine could establish a timing and penalty standard which is examined and utilized by other adminstrative entities.

Personally, I think the significant issue/concern is not the number of patients affected (532) but the time issue. The hospital had confirmed that PHI were on the stolen computer by Feb. 1. Under California’s law, the state’s position is that the hospital had five (5) business days from that point to notify both the state and affected patients. The hospital, however, did notify the state or affected patients until February 19 — after it confirmed that it could not recover the computer.

CDPH informed the hospital of the fine due to the reporting of the incident 11 days late on April 23, 2010. It is unclear if the fine was tied to a failure to notify the affected individuals or the CDPH.  The hospital is appealing the fine asserting its communication to CDPH was appropriate given that no unauthorized or inappropriate access took place to require it to notify affected individuals.

As much as I empathize with the hospital, the statute does not appear to be give them wiggle room on this:

A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

Does stealing a computer provide “unlawful access” to the patients’ records? If so, it seems to me that the clock started running on Feb. 1. I understand the hospital’s view and I understand that the stolen computer had software that enabled the hospital to know that it had not been turned on, but there is nothing in the statute that would seemingly toll the deadline for that.

CDPH’s report can be found here (pdf).

This incident highlights the seriousness of potential data breaches, regardless of size, and the urgency with which these situations must be addressed.  It also highlights an often asked question as to whether laptops that go unrecovered would constitute unauthorized access or acqisitiion (sic) of protected information.

I think the answer is obvious: if an entity loses control of a device that contains unsecured PHI, it may or may not have been acquired by someone, but if you know it was stolen, then it was acquired. Whether it will ever be accessed or not is another question, but entities need to err on the side of caution and assume the worst and notify promptly.

The HIPAA regulations also shed light on this issues stating, “if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.”

Agreed. Whether the fine should be this steep is another matter, though.  I personally think it’s quite harsh.

Read Jason C. Gavejian’s full commentary without my interspersed remarks on Workplace Privacy Data Management & Security Report.

Related posts:

  • California fines 7 more entities for unauthorized access to patient info by employees
  • California reveals monetary penalties issued to hospitals in 2013 for medical privacy breaches
  • California public health dept. announces lost tape had medical and personal info on residents and workers
  • Lucile Packard Children's Hospital Appeals CDPH Fine (updated)
Category: Health Data

Post navigation

← When is three years of free credit monitoring still not enough?
ICO confirms imminent data breach fines →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.