California breach disclosure law covers medical records

Share this article:
California has extended its widely copied data breach notification law to encompass incidents including electronic medical and health insurance information.

AB 1298, which took effect Tuesday, adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the Golden State's first-in-the-nation breach notification law. Unencrypted insurance policy or subscriber numbers, applications for insurance, claims histories and appeals are also now covered.

A data loss incident must include a California resident's name to require notification. The law applies to state agencies and any company that does business with Californians.

California's data breach law, SB 1386, had previously covered only financial records. Inspiring similar laws in more than 40 states since it went into effect in 2003, the law has led to the disclosure of thousands of breaches.

Sponsored by California Assemblyman Dave Jones, D-Sacramento, AB 1298 was inspired by a recommendation in a 2006 report on medical identity theft by the World Privacy Forum, a California-based public interest research group, according to Pam Dixon, the organization's executive director.

"Medical identity theft operates differently than financial ID theft. Any piece of medical information -- in some cases, even just a name -- can be used to commit a crime, and an insurance card number is pure gold for medical ID theft,” she said. "Social Security numbers sell for a couple of dollars on the black market, but medical records files command a very high price -- they can sell for $50 on the black market."

Stolen medical records can be used to submit fraudulent insurance claims to both public and private health insurance organizations. Stolen or falsified medical records can have a far-ranging impact on patient care, as well, Dixon said.

She recalled the case of one woman whose stolen, and altered, medical records indicated she asked for prescription pain killers at a hospital emergency room, when, in fact, she didn't. "Her files now reflect that behavior, even though she had nothing to do with it,” said Dixon.

William Miaoulis, manager of consulting services at Phoenix Health Systems, a health care consulting firm, told today that the law will “absolutely” add to the cost of managing medical records because firms will be forced to implement improved control of mobile media.

"I think we'll see increased use of encryption on mobile devices, such as PDAs, thumb drives and laptops. We'll see increased effort to know what medical information is where,” he said. "It sounds simple, knowing where your information is. But what's occurred is that information has become much more fluid, and is easily transferable, only a few clicks and information can go from computer to computer, and knowing where you sent that information can be very important."

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.