California breach disclosure law covers medical records

Share this article:
California has extended its widely copied data breach notification law to encompass incidents including electronic medical and health insurance information.

AB 1298, which took effect Tuesday, adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the Golden State's first-in-the-nation breach notification law. Unencrypted insurance policy or subscriber numbers, applications for insurance, claims histories and appeals are also now covered.

A data loss incident must include a California resident's name to require notification. The law applies to state agencies and any company that does business with Californians.

California's data breach law, SB 1386, had previously covered only financial records. Inspiring similar laws in more than 40 states since it went into effect in 2003, the law has led to the disclosure of thousands of breaches.

Sponsored by California Assemblyman Dave Jones, D-Sacramento, AB 1298 was inspired by a recommendation in a 2006 report on medical identity theft by the World Privacy Forum, a California-based public interest research group, according to Pam Dixon, the organization's executive director.

"Medical identity theft operates differently than financial ID theft. Any piece of medical information -- in some cases, even just a name -- can be used to commit a crime, and an insurance card number is pure gold for medical ID theft,” she said. "Social Security numbers sell for a couple of dollars on the black market, but medical records files command a very high price -- they can sell for $50 on the black market."

Stolen medical records can be used to submit fraudulent insurance claims to both public and private health insurance organizations. Stolen or falsified medical records can have a far-ranging impact on patient care, as well, Dixon said.

She recalled the case of one woman whose stolen, and altered, medical records indicated she asked for prescription pain killers at a hospital emergency room, when, in fact, she didn't. "Her files now reflect that behavior, even though she had nothing to do with it,” said Dixon.

William Miaoulis, manager of consulting services at Phoenix Health Systems, a health care consulting firm, told SCMagazineUS.com today that the law will “absolutely” add to the cost of managing medical records because firms will be forced to implement improved control of mobile media.

"I think we'll see increased use of encryption on mobile devices, such as PDAs, thumb drives and laptops. We'll see increased effort to know what medical information is where,” he said. "It sounds simple, knowing where your information is. But what's occurred is that information has become much more fluid, and is easily transferable, only a few clicks and information can go from computer to computer, and knowing where you sent that information can be very important."

Share this article:

Sign up to our newsletters

More in News

Study shows how attackers make use of websites existing for less than 24 hours

Study shows how attackers make use of websites ...

Looking at the top 50 of parent domains that produced websites existing for less than 24 hours, researchers with Blue Coat Security Labs observed that 22 percent were malicious.

Phishing campaign lures victims with models' photos

Two nude models' photos reeled in unsuspecting victims who handed over their Facebook logins to gain access to adult material.

IBM projects 2014 bug disclosures may hit three-year low

IBM projects 2014 bug disclosures may hit three-year ...

The number of disclosed vulnerabilities is on track to fall below 8,000 this year, a first since 2011.