Hospital appeals $250,000 fine for late breach disclosure

Computerworld - The Lucile Packard Children's Hospital at Stanford University is appealing a whopping $250,000 fine imposed by California Department of Public Health (CDPH) for its alleged delay in reporting a data breach that exposed confidential patient data.

In a statement Thursday, the hospital contended that it had reported the breach in accordance with requirements.

"We are appealing the timeline," a hospital spokesman said today. He added that the breach was self-reported by the hospital to CDPH.

The fine was levied in April under a state statute passed in 2008 that allows state agencies to, among other things, penalize organizations that fail to report data breaches as required by the state.

Under the statute, health care organizations must report a breach that could expose protected health information to appropriate government agencies and affected individuals within five days of its discovery. The penalty for failing to meet the deadline is $100 per day per breached record up to a maximum of $250,000.

A CDPH spokesman said that affected patients at Lucile Packard Hospital were not informed of the breach for 19 days after it was discovered. The hospital was assessed the maximum penalty, the spokesman said.

The breach occurred on Jan, 11, 2010, when a computer containing protected health information on 532 patients was stolen from the hospital's heart center by an employee, according to CDPH documents.

The hospital's IT organization determined by Feb. 2 that the stolen computer stored myriad personal information, including patient names, dates of birth, medical record numbers, diagnoses, treatment procedures, insurance information and Social Security numbers, according to a document on the CDPH Web site.

Following an investigation, the Palo Alto Police Department and hospital authorities concluded that the missing computer would not likely be recovered. The hospital notified the CDPH of the breach on Feb 19. The hospital notified affected patients a week later. The hospital at the time also offered the affected patients identity theft monitoring services without charge.

In a report to CDPH, the hospital contended that it had taken all reasonable precautions to mitigate the risk to personal information. The hospital said it had implemented 26 privacy policies and 27 separate information security policies to protect personal data.

The hospital described the incident as isolated, noting that the employee who stole the machine had legitimate access to the computer and to the data on it. The CDPH however, ruled that the hospital did not fulfill its obligations under the statute, and thus issued the fine.

The CDPH actions were based on the SB 541 and AB 211 California statutes enacted in 2008 to improve patient privacy laws and bolster patient data security. Among other measures, the laws gives the CDPH the authority to assess administrative penalties of up to $25,000 per patient whose records are compromised.

The state has fined six hospitals so far this year for failing to prevent unauthorized access to personal data.

For instance, the Community Hospital of San Bernardino was fined $250,000 for allegedly failing to prevent unauthorized employee access to the persoanl belonging to 204 individuals and the Enloe Medical Center in Chico was hit with a $130,000 penalty after employees accessed a "high-profile" patient's X-ray's and other records, according to documents on the CDPH Web site.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.