$250,000 penalty issued to Lucile Packard Children’s Hospital was an error – CDPH

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=11939

A breach at Lucile Salter Packard Children’s Hospital in 2010
generated a number of posts on this blog – especially after the
hospital was reportedly fined $250,000 by California for a delay in
notifying patients of the breach.

I recently reported that the hospital had settled its appeal with the
state and did not have to pay the $250,000 fine, but I didn’t know why
or what we could learn from the settlement. Neither the hospital nor
the state would give me any statement before I wrote that post.

The state subsequently contacted me and said they would issue a
statement, which I just received:

The original $250,000 penalty posting was an error discovered during
the appeal. The correct calculation should have been $100/day times
the number of days the facility failed to report the breach to CDPH,
for a total penalty of $1100.

So after all that – and after all the blog entries and discussions
with lawyers about the wisdom of such a steep penalty under the
conditions of the breach and the possible constitutionality of
California’s law, the fine was just a mistake.

And thus endeth this story.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.