Healthcare breaches accounted for 15% of all data breaches in California in 2012 and 2013, according to a report from the state's attorney general (PDF). Most were easily preventable, the report chides.
More than 70% of breaches in the California healthcare industry in 2012 and 2013 were of unencrypted data on lost or stolen hardware or portable disks. Only 19% of such breaches occurred in other sectors. Many of the industry's breaches could have been avoided if data owners and maintainers used stronger encryption techniques on their devices and portable drives, the attorney general's office said.
In total, there were 44 healthcare breaches over the two-year timeframe, affecting 1.5 million records across the state. In 2013, Kaiser Permanente reported two data breaches as did the California Correctional Health Care Services Department, the report said. They were among only six entities across all sectors that reported more than one breach that year.
“Kaiser Permanente is committed to protecting the confidentiality of our members', patients' and employees' information,” a spokesman said. “We take this responsibility very seriously, and we regularly communicate with our employees about the importance of maintaining the security of all confidential information.”
In one of the Kaiser breaches, the attorney general alleges that the company waited three months to notify its employees. As a result, the company was forced to pay $150,000 in penalties and attorney's fees, according to the report.
Two-thirds of the hardware items stolen in healthcare breaches were from an office or workplace, while the remainder were stolen from an employee's car or home. Over half of the breaches included Social Security numbers, but most involved patient information.
Follow Adam Rubenfire on Twitter: @arubenfire