The California Attorney General recently sued Kaiser Foundation Health Plan, Inc., alleging that the managed health care provider had failed to promptly alert former and current employees of a 2011 security breach that placed their personal information at risk. The state court suit, brought under California’s Unfair Competition law, alleges that Kaiser learned in September 2011 that an external hard drive containing unencrypted personal information belonging to former and current Kaiser employees had been purchased by a member of the public at a thrift store in California. The hard drive contained more than 30,000 social security numbers, according to the complaint. The Attorney General alleges that Kaiser engaged in unfair competition under Section 17200 of the California Business and Professions Code by failing to notify its former and current employees of the security breach in an expedient manner and without unreasonable delay. Kaiser is also alleged to have violated Section 17200 by posting private data on an unencrypted hard drive and by allowing that data to be made available to the public. The Attorney General requested that Kaiser be enjoined from engaging in further acts of unfair competition and that the company be compelled to pay $2,500 per violation of California’s Unfair Competition law, in addition to the state’s costs in bringing the suit. Kaiser is alleged to have gained custody of the hard drive in December 2011, and the provider continued to analyze it through February 2012. However, Kaiser did not notify former and current employees that their personal information – including the Social Security numbers, dates of birth and information regarding spouses and children – until March 19, 2012, according to the Complaint. At that time, Kaiser sent a letter to more than 20,000 California residents informing them of the breach. The Attorney General alleged in the Complaint that Kaiser could have notified the employees as early as December 2011.
Tip: This case is a reminder that attorneys general frequently take issue when a breach notice is viewed to have been delayed. In addition, AGs often look at the underlying activities of the company after a breach notice has been made, to see if there is a possibility that the company’s actions (or failure to act) resulted in the incident.