Key findings From the California Data Breach Report

In 2002, California became the first state in the country to enact a data breach reporting law to help protect consumers from the effects of having their personal data breached.

In September 2014, California’s breach notification deadlines for medical information breaches were extended from 5 business days to 15 business days for clinics, health facilities, home health agencies, and hospices. This was great news for healthcare providers, who often struggled to investigate and respond to a potential breach within such a short period of time.

Many other US states soon followed California’s lead. Nearly every state now comes with its own breach notification laws and in addition to HIPAA, healthcare providers should also be well versed on state laws relating to data breaches.

Report highlights
In the latest report, data breaches from 2012 to 2015 were analyzed. The report presents data on the nature of the breaches that occurred, and provides information on what can be learned from them regarding threats and vulnerabilities. The report concludes with recommendations aimed at reducing the risk of data breaches.

Over this four year period, the Attorney General received reports on 657 data breaches, affecting more than 49 million records. During 2015, 178 data breaches put over 24 million records at risk. This means that nearly three in five Californians were victims of a data breach last year.

As per the findings in last year’s Ponemon report, the majority of reported breaches were the result of cyber attacks. Breaches that occurred as a result of stolen and lost equipment containing unencrypted data, and both unintentional and intentional actions by insiders (including employees and service providers) also topped the list.

With medical information said to be ten times more valuable to hackers than credit card information on the black market, it’s no wonder that medical information was frequently breached. Social Security numbers were the most likely to be breached, and while payment card data was the second most likely data type to be breached (involved in 39% of all breaches), medical or health insurance information, which most individuals regard as very sensitive, comprised a larger share of records breached.

The report states that medical information was included in 19% of breaches, affecting 18 million records. The healthcare sector, with 16% of breaches, continued to be vulnerable to physical breaches, although malware and hacking breaches are beginning to increase as an increasing number of organizations transition to ePHI. The most vulnerable information in healthcare was medical information, such as PHI, and Social Security numbers.

Type of data by share of breaches and records, 2012-2015

Note: Total is greater than 100% because some breaches involved more than one data type.

In the healthcare sector, the main reason for breaches occurring was as a result of physical theft and loss: 54% compared to just 16% across all other sectors. However, the report notes that the incidence of malware and hacking breaches in the sector has been rising year on year, from 5% in 2012 to 21% in 2015.

Healthcare sector vs. all others by type of breach, 2012-2017

The report concludes with stating that recent calls to pass a federal law that would preempt state breach notification laws would be far below California’s current level of protection. While the rationale offered has been a focused on reducing the burden of organizations complying with the different state laws, California, along with many other states, feel that this federal law is not in the best interests of the people living within their jurisdiction.