California data breach report underscores need for encryption in healthcare

Seventy percent of breaches involving the California healthcare industry were due to unencrypted data on lost or stolen hardware or portable media, a problem that strong encryption would fix, according to the latest data breach report from the state's attorney general. Only 19 percent of such breaches occurred in other industries.

The state noted that it is still trying to make encryption mandatory for personal data in transit, but so far has been unsuccessful.

Healthcare's 25 breaches accounted for 15 percent of the total reported in the state during 2012 and 2013, according to the report. The retail industry had 43 breaches that exposed 15.4 million records, making up 84 percent of the total, while healthcare breaches affected 1.5 million records (6 percent).

Since 2012, California's breach notification law has required organizations to submit a copy of their breach notices to the attorney general when more than 500 Californians are affected. The report criticizes the notices it has received, saying they've been written on a college level when the average American's reading level is eighth grade.

Healthcare was the only sector in which malware and hacking was not a significant cause of the reported breaches, accounting for just 9 percent, compared with 88 percent of the total in retail.

More than half the healthcare breaches (55 percent) included Social Security numbers, which can be abused in many ways, the report points out.

Privacy attorney Deven McGraw and chairman of the Health IT's Policy Committee's Privacy and Security workgroup, recently told FierceHealthIT she wouldn't be at all surprised if California and other states enact even more stringent privacy legislation, which in some cases already is tougher than HIPAA.

California courts, however, recently tossed two breach lawsuits that stemmed from the theft of computers containing patient data.

To learn more:
- check out the report (.pdf)