UPDATE: In a statement sent to PHIprivacy.net on March 7, a CDPH spokesperson writes:
The original $250,000 penalty posting was an error discovered during the appeal. The correct calculation should have been $100/day times the number of days the facility failed to report the breach to CDPH, for a total penalty of $1100.
So after all that, it was just a mistake? Yikes…
Original post:
A penalty imposed by California on a hospital for failure to notify patients within 5 days was appealed and the case settled, but can we learn anything from the settlement?
In March 2010, we first learned of an incident involving a stolen computer with 532 patients’ information at Lucile Salter Packard Children’s Hospital. As more details emerged, we learned that while the incident occurred on January 11, 2010, the hospital had first reported the breach to the state on February 19, 2010, despite the fact that California law governing hospitals requires notification to the state and affected patients within 5 days of detection of unlawful or unauthorized access, use, or disclosure.
In April 2010, the state imposed a $250,000 penalty on the hospital for failure to timely notify patients. That amount was the maximum allowable under California’s law.
The hospital appealed the penalty. Their case raised a number of questions, including whether a hospital had a legal obligation to notify if it was still investigating a report and trying to determine if there had been unauthorized access to patient information. I uploaded the state’s report and covered some of the resulting controversy over the penalty, including a guest post about the constitutionality of laws and suspected data breaches.
And that’s where things stood for quite a while, as whenever I checked back, the appeal was still under consideration. In due course, being well-intentioned but old, I forgot to keep checking.
This week, a few remaining neurons kicked into gear, and I learned that the hospital and the state had reached a settlement in September 2011, a copy of which I obtained from the state. Under the terms of the settlement, the hospital paid $1,100.00 for late notification to the state and no penalty for late notification to patients. The settlement, which also included an additional $3,000.00 penalty for settlement of an unrelated privacy breach notification complaint, included a statement:
Execution of THIS STIPULATION FOR SETTLEMENT does not constitute any acknowledgement or admission of error, faulty, liability or wrongdoing by either party.
Neither the state nor the hospital would comment on the settlement.
So where does that leave us on the possible constitutional issues raised? What have we learned about how the state interprets the notification provisions? What should legal counsel for covered entities in California advise their clients going forward should a similar situation arise again, as it may if an employee with authorized access walks out with (possibly steals) a device containing PHI? Does the entity need to notify all patients even if they haven’t yet determined whether the device might still be under the employee’s control and the data have neither been accessed nor used? Your guess is as good as – or better than – mine.
There are probably lessons to be learned here about breach response in California, but damned if I know what they are without some explanation from the state.
You can access the settlement here (pdf). See what you think.
Interestingly, HHS’s investigation of the incident still remains open.