Breaches of

1
Breaches of Personal Confidential Information
Presented by Roberta Ward CDHS Privacy
OfficerPhone (916) 440-7750www.dhs.ca.gov/priv
acyoffice
2
Before We Begin

• Please write on your paper the following
• Your Name
• Your Date Of Birth
• Your Height
• Your Weight
• One Medical Condition that you have (Examples
  Allergies, migraines, heart palpitations)

3
Privacy Breach

• A Privacy Breach is an unauthorized disclosure of
  PHI/PCI that violates either federal or state
  laws
• Federal HIPAA Privacy Rule
• State Information Practices Act of 1977
• Privacy Breaches may be paper or electronic
• Electronic breaches when name plus social
  security number, or DMV, or financial account
  number are involved require individual
  notification by law
• CDHS is notifying individuals when name and SSN
  are on paper documents as well

4
What is PHI?

• PHI is information that identifies or can be used
  to identify an individual
• Information that relates to the
• Past, present or future health condition of that
  individual
• Health care provided to that individual
• Payment for that health care
• Information in any form, including paper,
  electronic (ePHI), and oral communications

5
What Constitutes PHI 18 Identifiers

• Name
• Address Street address, city, county, zip code
  (more than 3 digits) or other geographic codes
• Dates directly related to patient (except year),
  including DOB, admission or discharge date
• Telephone FAX Numbers
• Drivers License Number
• Email Addresses
• Social Security Number
• Medical Record Number
• Health Plan Beneficiary Number

• Account Number
• Certificate/License number
• Any vehicle or device serial number, including
  license plates
• Web Addresses (URLs)
• Internet Protocol (IP) Address
• Finger or Voice Prints
• Photographic Images
• Any other unique identifying number,
  characteristic, or code
• Age greater than 89 (as the 90 year old and over
  population is relatively small)

6
What is NOT PHI?

• De-identified data is NOT covered by HIPAA
• HIPAA does NOT cover
• Employee Records
• Workers Compensation Records
• Records about Providers
• HOWEVER, CDHS considers all three of these
  records personal confidential information (PCI)
  and therefore must be safeguarded in the same
  manner as PHI

7
Personal Confidential Information(PCI)

• Information that is not public which identifies
  or describes an individual including
• Names
• Home Addresses
• Home Telephone Numbers
• Social Security Numbers
• Medical or Employment Histories
• Personnel Records
• Licensing Records

Safeguard
8
Information Practices Act (California
Civil Code section 1798 et seq.)

• Establishes requirements for all state agencies
  for the collection, maintenance dissemination
  of personal information
• Allowed Disclosures
• To a person/agency where transfer is necessary to
  perform duties
• To a law enforcement/regulatory agency when
  required for an investigation or for licensing,
  certification, or regulatory process
• To another person/governmental organization for
  investigation of failure to comply with a law
  enforced by the agency

9
Examples of Paper Breaches

• Misdirected paper faxes with PHI/PCI outside of
  CDHS
• Loss or theft of paper documents containing
  PHI/PCI
• Mailings to incorrect providers or beneficiaries

Unauthorized
isclosure
10
Examples of Electronic Breaches

• Stolen, unencrypted laptops, hard drives, PCs
  with PHI/PCI
• Stolen, unencrypted thumb drives with PHI/PCI
• Stolen briefcases with unencrypted compact discs
  containing PHI/PCI
• Misdirected electronic fax with PHI/PCI to person
  outside of state government

Unauthorized
isclosure
11
California Anti-Identity Theft Law

• Senate Bill 1386 (Chapter 915, Statutes of 2002)
  requires that any breach of security of
  computerized data that includes personal
  information must be disclosed to any resident of
  California
• Applies to state agencies, persons or businesses
  that conduct business in California
• personal information was unencrypted and was or
  is reasonably believed to have been acquired by
  an unauthorized person

12
Anti-Identity Theft/ Breach Notification
Statute

• Civil Code sections 1798.29 and 1798.82 Requires
  notification to California residents when there
  is a breach of unencrypted electronic data
  containing the following personal information
• The individuals first name or first initial and
  last name in combination with any one or more of
  the following data elements
• Social Security Number
• Drivers license or California ID number
• Account number, credit or debit card number in
  combination with security code, access code or
  password

13
What's the big deal?
14
Identity Thief 1

• Specialized in cashing phony checks using her
  victimschecking accounts. This highly productive
  identity thief was arrested with a virtual goody
  bag of stolen identities indicating a dozen or
  more recent victims
• 15 fraudulent university id cards
• 12 fraudulent driver licenses
• 14 checks to be drawn on various accounts
• Maps with directions to local area banks

Sentence Over 13 years inprison
15
Identity Thief 2

• When this identity thief was arrested, she had a
  number of items indicating her specialty was in
  committing fraud in large volumes
• Several laptop computers
• An ID manufacturing machine
• ID counterfeiting credit card machine
• 500 profiles of people (intended victims)
• When arrested at the Phoenix airport, she had in
  her possession a plane ticket bought with a
  stolen credit card and several fake
  identifications.

Sentence 2.5 years in prison
16
Identity Thief 3

• This identity thief used his job at a local area
  auto dealer to obscure his real cash making
  endeavor as an identity thief who created fake
  drivers licenses.
• Identity thief 3 then would sell them to other
  employees for 75 apiece. The fake IDs would
  then be used to obtain loans on used vehicles on
  behalf of illegal immigrants.

Sentence 2 years in prison
17
Timing

• California law requires the notice be made in
  the most expedient time possible and without
  unreasonable delay
• Time may be allowed for law enforcement, if the
  notification would impede a criminal investigation

18
Reporting Privacy Breaches

• CDHS employees and business associates must take
  immediate action and report all Privacy Breaches
  to
• Your Supervisor
• CDHS Privacy Officer
• Information Security Officer
• Privacy Breaches DO NOT include
• Misdirected mail within CDHS
• Emails transmitted from outside CDHS to wrong
  email within CDHS or unencrypted email

19
Internal Reporting Procedures

• Inform your manager or supervisor of an
  unauthorized disclosure or potential breach.
• Send an email or call the Privacy Office with the
  following information
• Brief description of the incident
• Date, time, and location of the incident
• Name of affected parties/witnesses
• A written report to the CDHS Privacy Officer is
  required after the initial email or call.
• Use the Privacy Breach Reporting Form to describe
  the incident, identify potential harm determine
  a corrective action plan to prevent future
  occurrences

Please see Privacy Breach Reporting Form
20
Privacy Office Procedures

• Upon receipt of a report of a potential breach,
  the Privacy Office staff is responsible for
  notifying

• Program Areas Chief Deputy Director
• Deputy Director
• Assistant Deputy Director
• OLS Deputy Director

• Privacy Officer
• ISO
• Rich Bayquen
• Person who notified
• Agency

• A complete investigation is then performed.
• The investigative team may include but is not
  limited to members of CDHS Privacy Office, Audit
  Investigations Division, program staff.

21
Privacy Office Procedurescont

• Privacy Office will work closely with program
  staff to perform the following
• Mitigation activities, including any legally
  required notification to beneficiaries
• Notification must be given to individuals in the
  most expedienttime possible and without
  unreasonable delay
• Formal Corrective Action Plan
• Remediation Efforts
• Follow up to ensure all resolution activities are
  completed
• Formal Agency Breach Report to close out breach

Please see Agency Breach Report
22
Office of Privacy Protections
Notification Recommendations

• Notification letter Advise individuals of steps
  they can take to protect themselves against
  possibility of identity theft
• Recommend contacting the three credit reporting
  agencies Equifax, Experian, and Trans Union
• If find suspicious activity on credit reports,
  call your local police or sheriff and file an
  identity theft report
• Contact DMV (Fraud Hotline 866-658-5758) to
  place fraud alert on your drivers license
• California Office of Privacy Protection
  Recommendations available at www.privacy.ca.gov

Please see Sample Notification Letter
23
Breach Contacts

• Privacy Officer
• E-mail privacyofficer_at_dhs.ca.gov
• Phone (916) 440-7750
• FAX (916) 440-7710
• Information Security Officer
• E-mail dhsiso_at_dhs.ca.gov
• Phone (916) 440-7000 or
• (800) 579-0874