California Attorney General Kamala Harris sued Kaiser Foundation Health Plan Inc. in state court on Jan. 23, alleging the company was too slow to notify more than 20,000 current and former employees that their personal information was compromised in a 2011 security breach, Law360 reported. In the breach, an external hard drive that contained personal information of Kaiser employees--including Social Security numbers, dates of birth and addresses--had been sold to a member of the public at a thrift store.
In a blog post on the Information Law Group's website, founding partner David Navetta wrote that the lawsuit is interesting because the AG's problem is with Kaiser's timing, alleging that it violated California's breach notification law. The law states that "[Disclosures] shall be made in the most expedient time possible and without unreasonable delay."
While Kaiser did not learn of the breach until 2011, a letter to affected customers wasn't sent until March 2012.
No explanation was given in the letter as to why there was such a delay, despite the fact that Kaiser secured possession of the drive and conducted a forensic examination in December 2011.
Harris alleged that Kaiser had sufficient information to notify at least some affected individuals between December 2011 and February 2012.
"While the outcome of this lawsuit is uncertain, breach notification practitioners and companies that handle California personal information should keep an eye on this case [and any rulings that come out of it]," Navetta said. "Moreover, if the saying is true, 'as California goes so goes the nation,' this case could impact how other state regulators view the timing requirements under their breach notification laws."
In another data breach case out of California, the Sacramento Bee reported that hackers compromised the email accounts of three University of California, Davis doctors last month, potentially gaining access to personal or medical information. The attack took place in mid-December and UC Davis officials said the school has started notifying those who may have been affected--roughly 1,800 patients.
Data breaches aren't slowing down this year--the "wall of shame" for health data breaches at the U.S. Department of Health & Human Services has seen a lot of action this month, with more than 70 incidents added that have affected more than 500 individuals.
Update, 1/31: Kaiser Permanente, in an email statement to FierceHealthIT, writes that they have reached a settlement following the initial lawsuit with the California Attorney General's office regarding how they notify employees if their personal information has been breached.
"We are cooperating fully with the Attorney General's office and taking appropriate actions to resolve their concerns and continue to protect our employees' information. While we have notified employees in the past if their unencrypted personal information was involved in an incident, we have agreed to be even more timely in our notifications and to notify employees as information becomes available, rather than at the conclusion of an investigation," the statement reads. "We will also be adding training to our existing compliance courses for Kaiser Permanente employees regarding the sensitive nature of employee-related information, as well as continuing to review and improve our policies to safeguard confidential information."
To learn more:
- see the Law360 article (subscription required)
- read the post from Navetta
- read the Sacramento Bee article