Breach vs. Security Incident

A security incident is an actual or suspected occurrence of: Damage, destruction, unauthorized access or disclosure of Department equipment or information. Theft, or even attempted theft, or loss of Department equipment or information. Fraud, embezzlement, misuse or inappropriate use of state property. Apparent detection of a computer virus on a state computer.

Simply put, theft of a computer or other IT equipment or device is a security incident that must be reported to the Information Security Office (ISO) immediately!

If PHI/PCI/sensitive information was present, the incident is also a breach of confidential information. It must then be escalated to the Department’s Privacy Office. The Privacy Office is responsible for directing notification to the individuals whose information was breached.

Security Incident Reporting

State policy requires Departments to follow specified notification and reporting processes when information security incidents occur.

“…It is Department policy to maintain a record of security incidents and breaches and employ security measures that preserve the privacy of confidential, personal, or sensitive information and prevent the release or destruction of confidential, personal, or sensitive information through theft, loss, damage, unauthorized destruction or modification, unintentional or inappropriate release, misuse, accident, sabotage or other criminal activity, or natural disaster.” What do you do if you encounter an incident (or even suspect it)?

– Contact your supervisor immediately! HAM 6-1060.1 requires…” Department employees shall, in the most expedient time possible and without unreasonable delay, report any suspected or confirmed incident to the employee’s Division Chief via the employee’s chain of command”…

– If you are the supervisor, or your supervisor is not available call the IT Help Desk and open a Remedy ticket. (See Website Reference page at the conclusion of this training).

• A “breach of the security of the system”: – Is the “unauthorized acquisition of computerized

data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

AND– Must be disclosed to any resident of the state whose

unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

What is a Breach?

• Misdirected paper faxes with PHI/PCI outside of DHCS

• Loss or theft of paper documents containing PHI/PCI

• Mailings to incorrect providers or beneficiaries

Examples ofPaper Breaches

• Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI

• Stolen, unencrypted thumb drives with PHI/PCI

• Stolen briefcases with unencrypted compact discs containing PHI/PCI

• Misdirected electronic fax with PHI/PCI to person outside of state government

Examples of Electronic Breaches

LEGISLATIVE HISTORY

• Senate Bill 1386 (Peace; Chapter 915, Statutes of 2002) otherwise known as the California Security Breach Notification Act requires state agencies and other entities that maintain personal information in computerized form to notify residents of California in the event of an unauthorized acquisition of computerized data.

– California Adds Medical Identity Theft to the State Breach Notification Law

• Assembly Bill 1298 (Jones; Chapter 699, Statutes of 2007) expands California’s Security Breach Notification Act from a financial identity theft law to a medical identity law effective January 1, 2008.

AB 1298 adds two new categories of breach triggering information:– Medical information: defined as the individual’s medical history, treatment or diagnosis;

mental or physical health condition – Health information: health insurance policy or subscriber number, application and claims

history, as well as appeals records

California Anti-Identity Theft Law

Timing

• California law requires the notice be made “in the most expedient time possible and without unreasonable delay.”

• Time may be allowed for needs of law enforcement, if the notification would impede a criminal investigation

• Any person or business that maintains computerized data the person or business does not own must notify the owner or licensee of the information of any breach of the security of the system immediately following discovery

• Notification requirements should be written into contracts and Business Associate Agreements (BAAs)

Contractors & Business Associates

Office of Privacy Protection Notification

Recommendations

• Notification letter: Advise individuals of steps they can take to protect themselves against possibility of identity theft.

• Recommend contacting the three credit reporting agencies: Equifax, Experian, and Trans Union.

• If find suspicious activity on credit reports, call your local police or sheriff and file an identity theft report.– Contact DMV (Fraud Hotline: 866-658-5758) to place fraud alert

on your driver’s license

• California Office of Privacy Protection Recommendations available at: www.privacy.ca.gov.

• DHCS employees and business associates must take immediate action and report all Privacy Breaches to:

– Your Supervisor– DHCS Privacy Officer – Information Security Officer

Do Not Delay in reporting suspected privacy breaches by completing your own internal investigation.

• Privacy Breaches DO NOT include:– Misdirected mail within DHCS– Emails transmitted from outside DHCS to wrong email within DHCS or unencrypted email.

Reporting Privacy Breaches(HAM Section 1060.1)

A completed written breach report to the DHCS Privacy Office is required within 15 working days of discovery of a breach:

– Incident details and description – including:

• What data elements were involved and the extent of the data involved.

• How many Medi-Cal beneficiaries were affected

• If this was an electronic breach, whether the device was encrypted

– Cause of Incident or probable cause

– Impact of Incident -potential misuse of data, identity theft, etc.

– Whether Civil Code sections 1798.29, 1798.82, or any other federal or state laws requiring individual notifications triggered

– Mitigation - steps to reduce harmful effects, i.e., notification of members.

– Corrective Action Plan - steps to prevent reoccurrence, such as retraining of staff or creation/revision of procedures

– Additional information – such as notification to other facility’s units or Fraud Prevention and/or police, licensing boards, etc.

Breach Written Report

DHCS investigates all alleged breaches reported by its employees, staff of its business associates, individual program beneficiaries or other persons and will work to resolve the issues raised in order to safeguard individuals' confidential information and improve the DHCS business systems and practices. 

The Privacy Officer determines the appropriate level of response to mitigate potential harm and corrective action necessary when the DHCS is made aware of a privacy breach. 

Privacy Investigations

Fraud Alerts!Civil Code Section 1785.11.1

SB 168 (Bowen; Chapter 720; Statutes of 2001) established fraud alert to warn banks/potential creditors that person may be victim of Identity Theft.– Requires credit bureau fraud/security alert within 5

business days of consumer request at no cost to consumer.– Contact three credit reporting agencies: Equifax, Experian,

and Trans Union at toll-free number available 24/7. – Fraud alert lasts 90 days with right to request a renewal.– Business must take reasonable steps to verify identity of

consumer by contacting consumer before extending credit

Credit Freeze Civil Code Section 1785.11.2

Fraud alerts may be ignored by some creditors. To further guard against identity theft, California law allows consumers to place a security “freeze” so the credit file cannot be shared with potential creditors.– No cost with a police report filed for victim of identity theft,

otherwise $10 for each credit bureau ($30).

– Freeze may be lifted to obtain credit with a specific creditor while the freeze is in place.

– Credit bureau must respond within three business days.

– Credit freeze is in place until consumer requests that it be removed.

– Freeze may be temporarily lifted by a consumer.

Free Credit Report

One of the best ways to protect from identity theft is to monitor your credit history.

• The federal Fair Credit Reporting Act (FCRA) requires the nationwide credit reporting agencies to provide a free copy of their credit report upon request every 12 months.

• You may obtain your free copy of your credit report by:

– Calling toll free at: 1-877-322-8228

– The three credit bureaus have set up one central website at: https://www.annualcreditreport.com/cra/index.jsp.

Note: beware of other sites that may offer “free” credit reports that may charge for other products.

Breach/Unauthorized Disclosures Contacts

Privacy OfficerE-mail: privacyofficer@dhcs.ca.gov

Phone: (916) 440-7750FAX: (916) 440-7710

Information Security OfficerE-mail: iso@dhcs.ca.gov

Phone: (916) 440-7000 or (800) 579-0874

American Recovery and Reinvestment Act of 2009 (AARA); H.R. 1;

Public Law 111-5; Signed into law by President Obama on 2/17/09.

Title XIII of AARA, under provisions of the HITECH ACT, Subtitle D: Privacy – Sec. 13402 entitled, “Notification in the case of Breach” contains new privacy breach notification requirements for covered entities under HIPAA:

• Requires notification within 60 days for a privacy breach involving HIPAA covered PHI.

• Requires notification to the U.S. Department of Health & Human Services and media outlets for privacy breaches impacting 500 or more individuals.

• Breaches of less than 500 must be logged and provided to HHS annually.• Authorizes state attorney generals to bring suit for HIPAA violations.

Federal Stimulus Bill Includes New Mandatory Breach Notifications