California Adopts Statewide Data Breach Notification Requirements
Gov. Jerry Brown (D) has signed into law a three-bill legislative package to adopt statewide data breach notification requirements developed in response to major breaches at several health systems, including one in California, FierceHealthIT reports (Dvorak, FierceHealthIT, 10/13).
Background on UCLA Health Data Breach
In July, UCLA Health announced that it suffered a cyberattack that could have compromised the personal health records of up to 4.5 million people.
The health system said it confirmed the breach on May 5 and believes that hackers may have accessed parts of the network that contains personal information and some medical information as early as September 2014. Officials said there was no evidence that personal data were accessed or acquired, but the health system offered affected individuals 12 months of no-cost identity theft and health care identity protection services (California Healthline, 7/20).
Details of New Law
According to Health IT Security, the legislative package addresses:
- Data encryption standards;
- The definition of personal information; and
- Language for data breach notifications (Heath, Health IT Security, 10/12).
The three bills are:
- AB 964, which states that data are properly encrypted if the information has been "rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security";
- AB 570, which requires breach notifications -- to be titled "Notice of Data Breach" -- to include subheads detailing the breach, what information was compromised and steps affected patients and organizations can take; and
- AB 34, which modifies the definition of personal information to include data captured by automated license plate recognition systems (FierceHealthIT, 10/13).