According to Wired.com’s Threat Level, the new California law requiring “organizations in California to report suspected incidents of intentional and unintentional unauthorized breaches of a patient’s personally identifiable health information to the California Department of Public Health” has prompted over 800 reports since the law went into effect January 1st of this year. Of the 122 cases investigated so far, 116 of them were actual breaches – a staggeringly high percentage. While most of these breaches were unintentional, the potential for harm does not discriminate. California’s penalties are limited to fines, which can cost up to $250,000 depending on circumstances.
Most of the breaches, unintentional or not, demonstrate that personal information can be put at risk rather easily within a private setting. Technical solutions to this problem will remain ineffective, as the errors and lapses are human, not machine. It’s nice to see a disclosure law on the books that can provide additional information describing the problem. Hopefully it can serve as a deterrent, but it’s too early to tell.