150 likes | 262 Views
PRIVACY BREACHES. What is a Breach?. A “breach of the security of the system”: Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” AND
E N D
What is a Breach? • A “breach of the security of the system”: • Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” AND • Must be disclosed to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Privacy Investigations The Department of Health Care Services (DHCS) investigates all alleged breaches reported by its employees, staff of its business associates, individual program beneficiaries or other persons and will work to resolve the issues raised in order to safeguard individuals' confidential information and improve the DHCS business systems and practices. The Privacy Officer determines the appropriate level of response to mitigate potential harm and corrective action necessary when the DHCS is made aware of a privacy breach.
Examples ofPaper Breaches • Misdirected paper faxes with PHI/PCI outside of Department of Health Care Services (DHCS) • Loss or theft of paper documents containing PHI/PCI • Mailings to incorrect providers or beneficiaries Unauthorized isclosure
Examples of Electronic Breaches • Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI • Stolen, unencrypted thumb drives with PHI/PCI • Stolen briefcases with unencrypted compact discs containing PHI/PCI • Misdirected electronic fax with PHI/PCI to person outside of state government Unauthorized isclosure
California Anti-Identity Theft Law (Civil Code section 1798.29) LEGISLATIVE HISTORY • Senate Bill 1386(Peace; Chapter 915, Statutes of 2002) otherwise known as the California Security Breach Notification Act requires state agencies and other entities that maintain personal information in computerized form to notify residents of California in the event of an unauthorized acquisition of computerized data.
California Anti-Identity Theft Law LEGISLATIVE HISTORY (continued) California Adds Medical Identity Theft to the State Breach Notification Law • Assembly Bill 1298(Jones; Chapter 699, Statutes of 2007) expands California’s Security Breach Notification Act from a financial identity theft law to a medical identity law effectiveJanuary 1, 2008. AB 1298 adds two new categories of breach triggering information: • Medical information: defined as the individual’s medical history, treatment or diagnosis; mental or physical health condition • Health information: health insurance policy or subscriber number, application and claims history, as well as appeals records
Timing • California law requires the notice be made “in the most expedient time possible and without unreasonable delay.” • Time may be allowed for needs of law enforcement, if the notification would impede a criminal investigation
Office of Privacy Protection Notification Requirements Office of Privacy Protection Notification Recommendations • Notification letter: Advise individuals of steps they can take to protect themselves against possibility of identity theft. • Recommend contacting the three credit reporting agencies: Equifax, Experian, and Trans Union. • If find suspicious activity on credit reports, call your local police or sheriff and file an identity theft report. • Contact DMV (Fraud Hotline: 866-658-5758) to place fraud alert on your driver’s license. • California Office of Privacy Protection Recommendations available at: www.privacy.ca.gov
Free Credit Report Free Credit Report One of the best ways to protect from identity theft is to monitor your credit history. • The federal Fair Credit Reporting Act (FCRA) requires the nationwide credit reporting agencies to provide a free copy of their credit report upon request every 12 months. • You may obtain your free copy of your credit report by: • Calling toll free at: 1-877-322-8228 • The three credit bureaus have set up one central website at: https://www.annualcreditreport.com/cra/index.jsp. Note: beware of other sites that may offer “free” credit reports that may charge for other products.
Fraud Alerts!Civil Code Section 1785.11.1 Fraud Alerts (Civil Code section 1785.11.1) SB 168 (Bowen; Chapter 720; Statutes of 2001) established fraud alert to warn banks/potential creditors that person may be victim of Identity Theft. • Requires credit bureau fraud/security alert within 5 business days of consumer request at no cost to consumer. • Contact three credit reporting agencies: Equifax, Experian, and Trans Union at toll-free number available 24/7. • Fraud alert lasts 90 days with right to request a renewal. • Business must take reasonable steps to verify identity of consumer by contacting consumer before extending credit
Credit FreezeCivil Code Section 1785.11.2 Credit Freeze(Civil Code section 1785.11.2) Fraud alerts may be ignored by some creditors. To further guard against identity theft, California law allows consumers to place a security “freeze” so the credit file cannot be shared with potential creditors. • No cost with a police report filed for victim of identity theft, otherwise $10 for each credit bureau ($30). • Freeze may be lifted to obtain credit with a specific creditor while the freeze is in place. • Credit bureau must respond within three business days. • Credit freeze is in place until consumer requests that it be removed. • Freeze may be temporarily lifted by a consumer.
Federal Stimulus Bill Includes New Mandatory Breach Notifications American Recovery and Reinvestment Act of 2009 (AARA); H.R. 1; Public Law 111-5; Signed into law by President Obama on 2/17/09 Title XIII of AARA, under provisions of the HITECH ACT, Subtitle D: Privacy – Sec. 13402 entitled, “Notification in the case of Breach” contains new privacy breach notification requirements for covered entities under HIPAA: Requires notification within 60 days for a privacy breach involving HIPAA covered PHI. Requires notification to the U.S. Department of Health & Human Services and media outlets for privacy breaches impacting 500 or more individuals. Breaches of less than 500 must be logged and provided to HHS annually. Authorizes state attorney generals to bring suit for HIPAA violations.
Breach Contacts Breach/Unauthorized Disclosures Contacts Privacy Officer E-mail: privacyofficer@dhcs.ca.gov Phone: (916) 445-4646 FAX: (916) 440-7680 Information Security Officer E-mail: iso@dhcs.ca.gov Phone: (916) 440-7000 or (800) 579-0874