California Attorney General Reminds Healthcare Entities of Responsibility for Customer Data

  • California AG Rob Bonta sent a bulletin to healthcare organizations, including the California Hospital Association, the California Medical Association, and the California Dental Association, reminding healthcare facilities and providers of their obligation to comply with state and federal health data privacy laws.
  • The bulletin stresses that healthcare entities must notify the California Department of Justice (“DOJ”) when they experience a data breach that impacts more than 500 California residents so that the DOJ can notify the public of the breach. According to the AG’s office, the bulletin was sent after multiple California healthcare entities failed to report ransomware attacks, and an October 2020 joint report by several federal government agencies citing credible imminent cybercrime threats to U.S. healthcare entities.
  • The bulletin urges healthcare entities to proactively protect patient data from ransomware attacks by applying the latest patches to operating systems and software, installing virus protection software, regularly training staff on data security best practices, and restricting the ability of staff to download, install, and run unapproved software, among other things.