Citing what he said were “multiple unreported ransomware attacks” against health care facilities, California Attorney General Rob Bonta last week issued a memo reminding the state’s medical sector that it’s required to report data breaches and other cyber incidents to his office.
The bulletin, issued Aug. 24, came at a time when COVID-19 cases and hospitalizations are ticking up across the state as the delta variant continues its surge and as the global health sector continues to face ongoing threats from ransomware actors seeking to take advantage of a health crisis.
“Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats,” Bonta said in a press release.
In addition to the federal Health Insurance Portability and Accountability Act, which requires providers and insurers to secure patients’ personal information, state law also requires California health providers to report any breach affecting more than 500 patients to the attorney general’s office.
“Across the nation, cyberattacks on the healthcare sector has interrupted service delivery and patient care, and eroded patient trust,” Bonta’s memo reads. “The effects of a health data breach on consumers outlast the initial breach. Timely breach notification helps affected consumers mitigate the potential losses that could result from the fraudulent use of their personal information obtained from a breach of health data.”
The document, which was sent to associations representing California hospitals, physicians and dentists, also urges providers to patch their operating systems regularly, install virus protection software, maintain data backups and develop incident response plans in case of a breach.
Cybercrime and data breaches are “increasingly dominant” concerns for state attorney generals, Connecticut Attorney General William Tong told StateScoop in June following a meeting with White House cybersecurity adviser Anne Neuberger.
While Bonta said California’s health industry has incurred several unreported incidents, the state’s health sector has had its share of public ransomware incidents, including one in May locking the IT systems of Scripps Health, a five-hospital chain around San Diego. The incident forced some patient appointments to be canceled or rescheduled, and in June, Scripps was named in four class-action lawsuits, in state and federal court, alleging that it failed to protect patients’ information.