Just recently, California Attorney General Kamala Harris filed suit against Kaiser Foundation Health Plan, Inc. ("Kaiser") because of an alleged 2011 data privacy incident. It seems as though a simple accident led to sensitive data being accessed by unauthorized third parties, and ultimately exposed Kaiser to legal and financial risk. In this case, an external hard drive containing the sensitive personal information of Kaiser's patients was sold to a retail thrift shop.
The case alleges, among other things, that Kaiser failed to notify the affected individuals timely under California's data breach notification statute. While the outcome of this particular case may be a year or more away, businesses which handle regulated information such as HIPAA protected data ("HPI") or non-public personally identifiable information ("NPII") may be able to learn something from this fact case. We recommend including the elow strategies for mitigating risk in the area of data privacy:
1. To the extent, possible, do not allow NPII or HPI to
reside on any equipment beyond company owned/managed equipment.
This can be accomplished by a combination of employee training,
policies and codes of conduct, and monitoring systems.
2. Require any third parties with whom you share data to
agree in writing to terms at least as stringent as what your
regulatory obligations are with respect to data privacy, security,
and data breach notice; and
3. In the event an organization becomes aware of a situation
in which unauthorized parties may have accessed NPII or HPI, notify
the potentially affected individuals as soon as practicable, but in
no case, less than what is required under state or federal law.
Information governance and data privacy compliance are becoming increasingly burdensome to manage. Companies seeking assistance in this area should contact attorneys experienced in navigating this quickly changing landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.