BreachExchange mailing list archives
$250,000 penalty issued to Lucile Packard Children’s Hospital was an error – CDPH
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Thu, 7 Mar 2013 17:25:30 -0600
http://www.phiprivacy.net/?p=11939 A breach at Lucile Salter Packard Children’s Hospital in 2010 generated a number of posts on this blog – especially after the hospital was reportedly fined $250,000 by California for a delay in notifying patients of the breach. I recently reported that the hospital had settled its appeal with the state and did not have to pay the $250,000 fine, but I didn’t know why or what we could learn from the settlement. Neither the hospital nor the state would give me any statement before I wrote that post. The state subsequently contacted me and said they would issue a statement, which I just received: The original $250,000 penalty posting was an error discovered during the appeal. The correct calculation should have been $100/day times the number of days the facility failed to report the breach to CDPH, for a total penalty of $1100. So after all that – and after all the blog entries and discussions with lawyers about the wisdom of such a steep penalty under the conditions of the breach and the possible constitutionality of California’s law, the fine was just a mistake. And thus endeth this story. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- $250,000 penalty issued to Lucile Packard Children’s Hospital was an error – CDPH Erica Absetz (Mar 08)