On May 14, 2009, the California Department of Public Health announced a $250,000 fine—the maximum allowed under state law—for a health facility’s inadequate protections against improper access to medical records. The state agency fined Kaiser Permanente for failing to safeguard the medical records of Nadya Suleman, a recent mother of octuplets, from employee snooping.

In all, 23 employees, including two physicians, improperly accessed Suleman’s medical records. Kaiser Permanente fired one employee, 14 resigned, and the other eight received reprimands. The unauthorized access occurred across seven facilities, all linked to the same electronic medical records system. The breach occurred despite Kaiser Permanente’s increased privacy training in advance of Suleman’s delivery and electronic warnings attached to Suleman’s records.

This fine was the first under a new California medical privacy law, embodied in CAL. HEALTH & SAFETY CODE § 1280.15, which took effect January 1, 2009. The law mirrors some of the safeguards imposed by the federal Health Insurance Portability and Accountability Act (HIPAA), though HIPAA covers only facilities that transmit electronic health information while the state law generally applies to “health facilities.”