Just recently, California Attorney General Kamala Harris filed suit against Kaiser Foundation Health Plan, Inc. (“Kaiser”) because of an alleged 2011 data privacy incident. It seems as though a simple accident led to sensitive data being accessed by unauthorized third parties, and ultimately exposed Kaiser to legal and financial risk. In this case, an external hard drive containing the sensitive personal information of Kaiser’s patients was sold to a retail thrift shop.   

 The case alleges, among other things, that Kaiser failed to notify the affected individuals timely under California’s data breach notification statute. While the outcome of this particular case may be a year or more away, businesses which handle regulated information such as HIPAA protected data (“HPI”) or non-public personally identifiable information (“NPII”) may be able to learn something from this fact case.  We recommend including the elow strategies for mitigating risk in the area of data privacy:

  1. To the extent, possible, do not allow NPII or HPI to reside on any equipment beyond company owned/managed equipment. This can be accomplished by a combination of employee training, policies and codes of conduct, and monitoring systems. 
  2. Require any third parties with whom you share data to agree in writing to terms at least as stringent as what your regulatory obligations are with respect to data privacy, security, and data breach notice; and 
  3. In the event an organization becomes aware of a situation in which unauthorized parties may have accessed NPII or HPI, notify the potentially affected individuals as soon as practicable, but in no case, less than what is required under state or federal law.

Information governance and data privacy compliance are becoming increasingly burdensome to manage.  Companies seeking assistance in this area should contact attorneys experienced in navigating this quickly changing landscape.