DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Lucile Salter Packard Children's Hospital avoids $250,000 penalty for late breach notification (updated)

Posted on March 2, 2013 by Dissent

UPDATE: In a statement sent to PHIprivacy.net on March 7,  a CDPH spokesperson writes:

The original $250,000 penalty posting was an error discovered during the appeal. The correct calculation should have been $100/day times the number of days the facility failed to report the breach to CDPH, for a total penalty of $1100.

So after all that, it was just a mistake? Yikes…

Original post:

A penalty imposed by California on a hospital for failure to notify patients within 5 days was appealed and the case settled, but can we learn anything from the settlement?

In March 2010, we first learned of an incident involving a stolen computer with 532 patients’ information at Lucile Salter Packard Children’s Hospital.  As more details emerged, we learned that while the incident occurred on January 11, 2010, the hospital had first reported the breach to the state on February 19, 2010, despite the fact that California law  governing hospitals requires notification to the state and affected patients within 5 days of detection of unlawful or unauthorized access, use, or disclosure.

In April 2010, the state imposed a $250,000 penalty on the hospital for failure to timely notify patients. That amount was the maximum allowable under California’s law.

The hospital appealed the penalty. Their case raised a number of questions, including whether a hospital had a legal obligation to notify if it was still investigating a report and trying to determine if there had been unauthorized access to patient information.  I uploaded the state’s report and covered some of the resulting controversy over the penalty, including a guest post about the constitutionality of laws and suspected data breaches.

And that’s where things stood for quite a while, as whenever I checked back, the appeal was still under consideration. In due course, being well-intentioned but old, I forgot to keep checking.

This week, a few remaining neurons kicked into gear, and I learned that the hospital and the state had reached a settlement in September 2011, a copy of which I obtained from the state. Under the terms of the settlement, the hospital paid $1,100.00 for late notification to the state and no penalty for late notification to patients. The settlement, which also included an additional $3,000.00 penalty for settlement of an unrelated privacy breach notification complaint, included a statement:

Execution of THIS STIPULATION FOR SETTLEMENT does not constitute any acknowledgement or admission of error, faulty, liability or wrongdoing by either party.

Neither the state nor the hospital would comment on the settlement.

So where does that leave us on the possible constitutional issues raised?  What have we learned about how the state interprets the notification provisions? What should legal counsel for covered entities in California advise their clients going forward should a similar situation arise again, as it may if an employee with authorized access walks out with (possibly steals) a device containing PHI?  Does the entity need to notify all patients even if they haven’t yet determined whether the device might still be under the employee’s control and the data have neither been accessed nor used?  Your guess is as good as –  or better than – mine.

There are probably lessons to be learned here about breach response in California, but damned if I know what they are without some explanation from the state.

You can access the settlement here (pdf).  See what you think.

Interestingly, HHS’s investigation of the incident still remains open.


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Texas Enacts Electronic Health Record Data Localization Law
Category: Health Data

Post navigation

← Nurse posing with corpse sparks outrage
Did Samaritan Hospital violate HIPAA? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Inquiry launched after identities of SAS soldiers leaked in fresh data breach
  • UK sanctions Russian cyber spies accused of facilitating murders
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report