PRIVACY BREACHES
A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” AND –Must be disclosed to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. What is a Breach?
The Department of Health Care Services (DHCS) investigates all alleged breaches reported by its employees, staff of its business associates, individual program beneficiaries or other persons and will work to resolve the issues raised in order to safeguard individuals' confidential information and improve the DHCS business systems and practices. The Privacy Officer determines the appropriate level of response to mitigate potential harm and corrective action necessary when the DHCS is made aware of a privacy breach. Privacy Investigations
Misdirected paper faxes with PHI/PCI outside of Department of Health Care Services (DHCS) Loss or theft of paper documents containing PHI/PCI Mailings to incorrect providers or beneficiaries Examples of Paper Breaches
Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI Stolen, unencrypted thumb drives with PHI/PCI Stolen briefcases with unencrypted compact discs containing PHI/PCI Misdirected electronic fax with PHI/PCI to person outside of state government Examples of Electronic Breaches
LEGISLATIVE HISTORY Senate Bill 1386 (Peace; Chapter 915, Statutes of 2002) otherwise known as the California Security Breach Notification Act requires state agencies and other entities that maintain personal information in computerized form to notify residents of California in the event of an unauthorized acquisition of computerized data. California Anti-Identity Theft Law (Civil Code section )
LEGISLATIVE HISTORY (continued) California Adds Medical Identity Theft to the State Breach Notification Law Assembly Bill 1298 (Jones; Chapter 699, Statutes of 2007) expands California’s Security Breach Notification Act from a financial identity theft law to a medical identity law effective January 1, AB 1298 adds two new categories of breach triggering information: –Medical information: defined as the individual’s medical history, treatment or diagnosis; mental or physical health condition –Health information: health insurance policy or subscriber number, application and claims history, as well as appeals records California Anti-Identity Theft Law
California law requires the notice be made “in the most expedient time possible and without unreasonable delay.” Time may be allowed for needs of law enforcement, if the notification would impede a criminal investigation Timing
Office of Privacy Protection Notification Recommendations Notification letter: Advise individuals of steps they can take to protect themselves against possibility of identity theft. Recommend contacting the three credit reporting agencies: Equifax, Experian, and Trans Union. If find suspicious activity on credit reports, call your local police or sheriff and file an identity theft report. –Contact DMV (Fraud Hotline: ) to place fraud alert on your driver’s license. California Office of Privacy Protection Recommendations available at: Office of Privacy Protection Notification Requirements
CONSUMER PROTECTION
Free Credit Report One of the best ways to protect from identity theft is to monitor your credit history. The federal Fair Credit Reporting Act (FCRA) requires the nationwide credit reporting agencies to provide a free copy of their credit report upon request every 12 months. You may obtain your free copy of your credit report by: –Calling toll free at: –The three credit bureaus have set up one central website at: Note: beware of other sites that may offer “free” credit reports that may charge for other products. Free Credit Report
Fraud Alerts! Civil Code Section SB 168 (Bowen; Chapter 720; Statutes of 2001) established fraud alert to warn banks/potential creditors that person may be victim of Identity Theft. –Requires credit bureau fraud/security alert within 5 business days of consumer request at no cost to consumer. –Contact three credit reporting agencies: Equifax, Experian, and Trans Union at toll-free number available 24/7. –Fraud alert lasts 90 days with right to request a renewal. –Business must take reasonable steps to verify identity of consumer by contacting consumer before extending credit Fraud Alerts (Civil Code section )
Credit Freeze Civil Code Section Fraud alerts may be ignored by some creditors. To further guard against identity theft, California law allows consumers to place a security “freeze” so the credit file cannot be shared with potential creditors. –No cost with a police report filed for victim of identity theft, otherwise $10 for each credit bureau ($30). –Freeze may be lifted to obtain credit with a specific creditor while the freeze is in place. –Credit bureau must respond within three business days. –Credit freeze is in place until consumer requests that it be removed. –Freeze may be temporarily lifted by a consumer. Credit Freeze (Civil Code section )
American Recovery and Reinvestment Act of 2009 (AARA); H.R. 1; Public Law 111-5; Signed into law by President Obama on 2/17/09 Title XIII of AARA, under provisions of the HITECH ACT, Subtitle D: Privacy – Sec entitled, “Notification in the case of Breach” contains new privacy breach notification requirements for covered entities under HIPAA: –Requires notification within 60 days for a privacy breach involving HIPAA covered PHI. –Requires notification to the U.S. Department of Health & Human Services and media outlets for privacy breaches impacting 500 or more individuals. –Breaches of less than 500 must be logged and provided to HHS annually. –Authorizes state attorney generals to bring suit for HIPAA violations. Federal Stimulus Bill Includes New Mandatory Breach Notifications
Breach/Unauthorized Disclosures Contacts Privacy Officer Phone: (916) FAX: (916) Information Security Officer Phone: (916) or (800) Breach Contacts