Dive Brief:
- California's Attorney General has filed a lawsuit against the Kaiser Foundation Health Plan alleging that the plan took too long to notify employees about a 2011 breach of their personal data.
- In 2011, an external hard drive from Kaiser was accidentally sold to a member of the public, which contained 20,000 current and former Kaiser employees. The data included addresses, dates of birth and Social Security numbers.
- The health plan learned of the breach in December 2011 -- when the drive was returned to Kaiser -- but didn't notify affected individuals until March 2012.
- The lawsuit claims the Kaiser violated California's breach notification law, which states that disclosure of breaches "shall be made in the most expedient time possible and without unreasonable delay."
Dive Insight:
Legal experts say that this case's outcome should set a precedent for other practitioners and companies that handle data in California. After all, with the law's language on breaches not naming a specific timeline for disclosure, it's up to the discretion of regulators decide what timely disclosure really is, and how much wiggle room providers and other companies have. It also seems likely that this decision could have an influence on regulators in other states with breach laws in place.