California expands health data breach rules

California has enacted sweeping changes to an existing data-privacy law which specifies that residents must be notified if their electronic health data or health insurance information is breached. The measure, which expands on an existing notification law, adds unencrypted medical histories, information on mental or physical conditions and medical treatments and diagnoses to its list of protected data categories, as well as unencrypted insurance policy or subscriber numbers, applications, claims histories and appeals. Previously, it'd only covered financial information.

The law is sufficiently stringent that providers must notify patients if their name is attached to breached information--it doesn't even require that identity-theft-sensitive items like social security numbers are included in the data.

In all practicality, I doubt this will change the rules a lot for providers, who in all fairness have a pretty consistent track record of informing consumers when an errant laptop goes missing or a drive is hacked. But based on my reading to date, I'm not so sure insurance companies have been as candid. Will we now see a rash of embarrassing admissions by California health plans?

To learn more about the new law:
- read this San Francisco Chronicle piece