1 / 23

Breaches of Personal Confidential Information

Breaches of Personal Confidential Information. Presented by : Roberta Ward CDHS Privacy Officer Phone: (916) 440-7750 www.dhs.ca.gov/privacyoffice. Before We Begin…. Please write on your paper the following: Your Name Your Date Of Birth Your Height Your Weight

phil
Download Presentation

Breaches of Personal Confidential Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Breaches of Personal Confidential Information Presented by: Roberta Ward CDHS Privacy OfficerPhone: (916) 440-7750www.dhs.ca.gov/privacyoffice

  2. Before We Begin… • Please write on your paper the following: • Your Name • Your Date Of Birth • Your Height • Your Weight • One Medical Condition that you have (Examples: Allergies, migraines, heart palpitations)

  3. Privacy Breach • A Privacy Breach is an unauthorized disclosure of PHI/PCI that violates either federal or state laws • Federal: HIPAA Privacy Rule • State: Information Practices Act of 1977 • Privacy Breaches may be paper or electronic • Electronic breaches when name plus social security number, or DMV, or financial account number are involved require individual notification by law • CDHS is notifying individuals when name and SSN are on paper documents as well

  4. What is PHI? • PHI is information that identifies or can be used to identify an individual • Information that relates to the: • Past, present or future health condition of that individual • Health care provided to that individual • Payment for that health care • Information in any form, including paper, electronic (ePHI), and oral communications

  5. Name Address – Street address, city, county, zip code (more than 3 digits)or other geographic codes Dates directly related to patient (except year), including DOB, admission or discharge date Telephone & FAX Numbers Driver’s License Number Email Addresses Social Security Number Medical Record Number Health Plan Beneficiary Number Account Number Certificate/License number Any vehicle or device serial number, including license plates Web Addresses (URLs) Internet Protocol (IP) Address Finger or Voice Prints Photographic Images Any other unique identifying number, characteristic, or code Age greater than 89 (as the 90 year old and over population is relatively small) What Constitutes PHI – 18 Identifiers

  6. De-identified data is NOT covered by HIPAA HIPAA does NOT cover: Employee Records Workers’ Compensation Records Records about Providers HOWEVER, CDHS considers all three of these records “personal confidential information” (PCI) and therefore must be safeguarded in the same manner as PHI What is NOT PHI?

  7. Information that is not public which identifies or describes an individual including: Names Home Addresses Home Telephone Numbers Social Security Numbers Medical or Employment Histories Personnel Records Licensing Records “Personal Confidential Information”(PCI) Safeguard

  8. Information Practices Act(California Civil Code section 1798 et seq.) • Establishes requirements for all state agencies for the collection, maintenance & dissemination of personal information • Allowed Disclosures: • To a person/agency where transfer is necessary to perform duties • To a law enforcement/regulatory agency when required for an investigation or for licensing, certification, or regulatory process • To another person/governmental organization for investigation of failure to comply with a law enforced by the agency

  9. Examples of Paper Breaches • Misdirected paper faxes with PHI/PCI outside of CDHS • Loss or theft of paper documents containing PHI/PCI • Mailings to incorrect providers or beneficiaries Unauthorized isclosure

  10. Examples of Electronic Breaches • Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI • Stolen, unencrypted thumb drives with PHI/PCI • Stolen briefcases with unencrypted compact discs containing PHI/PCI • Misdirected electronic fax with PHI/PCI to person outside of state government Unauthorized isclosure

  11. California Anti-Identity Theft Law • Senate Bill 1386(Chapter 915, Statutes of 2002) requires that any breach of security of computerized data that includes personal information must be disclosed to any resident of California • Applies to state agencies, persons or businesses that conduct business in California • personal information was unencrypted and was or is reasonably believed to have been acquired by an unauthorized person

  12. Anti-Identity Theft/ Breach Notification Statute • Civil Code sections 1798.29 and 1798.82 Requires notification to California residents when there is a breach of unencrypted electronic data containing the following personal information: • The individual’s first name or first initial and last name in combination with any one or more of the following data elements: • Social Security Number • Driver’s license or California ID number • Account number, credit or debit card number in combination with security code, access code or password

  13. What's the big deal?

  14. Identity Thief #1 • Specialized in cashing phony checks using her victimschecking accounts. This highly productive identity thief was arrested with a virtual goody bag of stolen identities indicating a dozenor more recent victims: • 15 fraudulent university id cards • 12 fraudulent driver licenses • 14 checks to be drawn on various accounts • Maps with directions to local area banks Sentence: Over13 years inprison

  15. Identity Thief #2 • When this identity thief was arrested, she had a number of items indicating her specialty was in committing fraud in large volumes: • Several laptop computers • An ID manufacturing machine • ID counterfeiting credit card machine • 500 profiles of people (intended victims) • When arrested at the Phoenix airport, she had in her possession a plane ticket bought with a stolen credit card and several fake identifications. Sentence: 2.5 years in prison

  16. Identity Thief #3 • This identity thief used his job at a local area auto dealer to obscure his real cash making endeavor as an identity thief who created fake drivers licenses. • Identity thief #3 then would sell them to other employees for $75 apiece. The fake ID’s would then be used to obtain loans on used vehicles on behalf of illegal immigrants. Sentence: 2 years in prison

  17. Timing • California law requires the notice be made “in the most expedient time possible and without unreasonable delay” • Time may be allowed for law enforcement, if the notification would impede a criminal investigation

  18. Reporting Privacy Breaches • CDHS employees and business associates must take immediate action and report all Privacy Breaches to: • Your Supervisor • CDHS Privacy Officer • Information Security Officer • Privacy Breaches DO NOT include: • Misdirected mail within CDHS • Emails transmitted from outside CDHS to wrong email within CDHS or unencrypted email

  19. Internal Reporting Procedures • Inform your manager or supervisor of an unauthorized disclosure or potential breach. • Send an email or call the Privacy Office with the following information: • Brief description of the incident • Date, time, and location of the incident • Name of affected parties/witnesses • A written report to the CDHS Privacy Officer is required after the initial email or call. • Use the Privacy Breach Reporting Form to describe the incident, identify potential harm & determine a corrective action plan to prevent future occurrences Please see Privacy Breach Reporting Form

  20. Privacy Office Procedures • Upon receipt of a report of a potential breach, the Privacy Office staff is responsible for notifying: • Program Area’s Chief Deputy Director • Deputy Director • Assistant Deputy Director • OLS Deputy Director • Privacy Officer • ISO • Rich Bayquen • Person who notified • Agency • A complete investigation is then performed. • The investigative team may include but is not limited to members of CDHS Privacy Office, Audit & Investigations Division, & program staff.

  21. Privacy Office Procedurescont… • Privacy Office will work closely with program staff to perform the following: • Mitigation activities, including any legally required notification to beneficiaries • Notification must be given to individuals in the most expedienttime possible and without unreasonable delay • Formal Corrective Action Plan • Remediation Efforts • Follow up to ensure all resolution activities are completed • Formal Agency Breach Report to close out breach Please see Agency Breach Report

  22. Office of Privacy Protections Notification Recommendations • Notification letter: Advise individuals of steps they can take to protect themselves against possibility of identity theft • Recommend contacting the three credit reporting agencies: Equifax, Experian, and Trans Union • If find suspicious activity on credit reports, call your local police or sheriff and file an identity theft report • Contact DMV (Fraud Hotline: 866-658-5758) to place fraud alert on your driver’s license • California Office of Privacy Protection Recommendations available at: www.privacy.ca.gov Please see Sample Notification Letter

  23. Breach Contacts Privacy Officer E-mail: privacyofficer@dhs.ca.gov Phone: (916) 440-7750 FAX: (916) 440-7710 Information Security Officer E-mail: dhsiso@dhs.ca.gov Phone: (916) 440-7000 or (800) 579-0874

More Related