New Law Floods California With Medical Data Breach Reports: Via Wired: Threat Level.

California officials have received more than 800 reports of health data breaches in five months after a new state law went into effect January 1.

The law requires health care organizations in California to report suspected incidents of intentional and unintentional unauthorized breaches of a patient’s personally identifiable health information to the California Department of Public Health.

The agency, however, says it was surprised by the large number of reports it received in such a short period, according to the Journal of the American Health Information Management Association, and expect that number to increase dramatically.

Of the cases reported, which also include complaints from patients, officials have conducted full investigations on 122 cases so far and confirmed 116 as actual breaches. The types of breaches run the gamut from unintentionally faxing a patient’s chart or test reports to the wrong phone number to intentional snooping by workers. Most of the breaches reported so far have been unintentional.

Officials can fine offending organizations or individuals up to $250,000 for a breach, depending on the nature of the breach and the extent of the harm it caused, the Journal reports. Los Angeles-based Kaiser Permanente Bellflower Medical Center was the first to be fined this amount after investigators determined that 23 hospital workers inappropriately accessed the medical records of Nadya Suleman, aka “the Octomom” (pictured at right). Suleman is a 34-year-old single mother on public assistance who received extensive publicity this year after giving birth to octuplets following fertility treatments.

The hospital fired 15 workers and disciplined another eight employees. But that wasn’t sufficient for the state. Kaiser was fined in May after investigators found that the hospital had been negligent in protecting Suleman’s medical record once it discovered that an employee had improperly viewed it. The hospital simply added a notice to the record warning employees against authorized access but reportedly did little else to control access to the record. No individuals have been fined by the state under the California law.

Actress Farrah Fawcett, who died last week, had also filed a complaint with the state, accusing the staff at the UCLA medical center of providing information about her to a National Enquirer reporter.

California led the way in data breach laws when it passed the first notification law, which went into effect in July 2003. It requires entities doing business in California to notify consumers when their personally identifiable information is breached, such as a name and Social Security or credit card number. The law helped expose the extent of the data-breach problem and prompted other states to follow suit with their own laws. California’s new medical data breach law is the first in the nation and is being closely watched by other states. Healthcare providers, however, have criticized it for being too rigid.

Read Original Article (Via Wired: Threat Level.)