California data breach disclosure law extended to cover medical records
California has extended its widely copied data breach notification law to encompass incidents including electronic medical and health insurance information.
AB 1298, which took effect Tuesday, adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the Golden State's first-in-the-nation breach notification law. Unencrypted insurance policy or subscriber numbers, applications for insurance, claims histories and appeals are also now covered.
A data loss incident must include a California resident's name to require notification. The law applies to state agencies and any company that does business with Californians.
California's data breach law, SB 1386, had previously covered only financial records. Inspiring similar laws in more than 40 states since it went into effect in 2003, the law has led to the disclosure of thousands of breaches.
Sponsored by California Assemblyman Dave Jones, D-Sacramento, AB 1298 was inspired by a recommendation in a 2006 report on medical identity theft by the World Privacy Forum, a California-based public interest research group, according to Pam Dixon, the organization's executive director.
"Medical identity theft operates differently than financial ID theft. Any piece of medical information -- in some cases, even just a name -- can be used to commit a crime, and an insurance card number is pure gold for medical ID theft,” she said. "Social Security numbers sell for a couple of dollars on the black market, but medical records files command a very high price -- they can sell for $50 on the black market."
Stolen medical records can be used to submit fraudulent insurance claims to both public and private health insurance organizations. Stolen or falsified medical records can have a far-ranging impact on patient care, as well, Dixon said.
She recalled the case of one woman whose stolen, and altered, medical records indicated she asked for prescription pain killers at a hospital emergency room, when, in fact, she didn't. "Her files now reflect that behavior, even though she had nothing to do with it,” said Dixon.
William Miaoulis, manager of consulting services at Phoenix Health Systems, a health care consulting firm, told SCMagazineUS.com today that the law will “absolutely” add to the cost of managing medical records because firms will be forced to implement improved control of mobile media.
"I think we'll see increased use of encryption on mobile devices, such as PDAs, thumb drives and laptops. We'll see increased effort to know what medical information is where,” he said. "It sounds simple, knowing where your information is. But what's occurred is that information has become much more fluid, and is easily transferable, only a few clicks and information can go from computer to computer, and knowing where you sent that information can be very important."