SACRAMENTO — As part of a subdued legal settlement, Attorney General Kamala Harris has agreed to drop a data breach lawsuit against Kaiser Foundation Health Plan Inc. if the Oakland managed care provider pays $150,000 to the state and improves its information-handling practices.
The complaint and proposed settlement, both filed without fanfare in Alameda County Superior Court on Jan. 24, stem from the exposure of more than 30,000 names, Social Security numbers, birthdates and addresses belonging to current and former Kaiser employees and their dependents. The information was found on an unencrypted external hard drive sold at a Santa Cruz thrift store.
Kaiser learned of the breach in December 2011 but did not send letters to 20,539 affected Californians until mid-March 2012, according to the AG’s office. Harris contends the three-month notification delay violates Civil Code Section 1798.82 which requires data-holders to disclose any breach “in the most expedient time possible and without unreasonable delay.”
The AG’s complaint sought $2,500 for each alleged violation, far more than the settlement’s proposed $150,000 total sanction ($30,000 would go to the state under the deal, $120,000 to cover the AG’s legal fees). The settlement would also require Kaiser to provide more employee training about the “sensitive nature” of personnel files, to review its email encryption policies and to audit its employees’ access to confidential information.
In a statement, Kaiser said it has already enacted many of the changes sought by the AG.
“We are cooperating fully with the Attorney General’s office and taking appropriate actions to resolve their concerns and continue to protect our employees’ information,” the company said.
Kaiser was represented in the settlement crafting by John Hueston, chair of Irell & Manella’s business trial and crisis management practice.
The HMO has attracted unwanted headlines, and litigation, with the discovery of two patient data breaches last fall. One, the result of a lost flash drive, resulted in Kaiser notifying more than 50,000 Southern California health plan members that their information was at risk. The second, affecting a much smaller number of patients, resulted when an email attachment was sent to someone outside the Kaiser network.
Former state Senator Steve Peace announced in early October that he was halting efforts to qualify a sweeping data privacy initiative. But that didn’t stop Google Inc. and Facebook Inc. from dropping money later that fall into a campaign to defeat the measure, state records show.
Google gave $15,000 to the Committee to Protect California Jobs, a state Chamber of Commerce-sponsored campaign account created to kill Peace’s California Personal Privacy Initiative. Facebook contributed $10,000 to the committee on Dec. 2, according to campaign filings.
Peace’s initiative would have embedded in the constitution a presumption that any personally identifying information a consumer gives to a company or government agency is confidential and must be protected “by all reasonably available means.” Any unauthorized release of that information would have constituted harm, opening the doors to litigation even if a plaintiff could not demonstrate suffering actual harm.
But Peace dropped attempts to qualify the initiative after the legislative analyst’s office slapped it with a label that said it might lead to “potentially significant costs to state and local governments from additional or more costly lawsuits.” That analysis—Peace said it was inaccurate and “fatal”—would have been seen by potential voters.
Google, Facebook and other data-collecting companies were clearly spooked by the measure. Data broker Acxiom Corp. gave $10,000 to the campaign to defeat it. Other donors included Bank of America, McKesson Corp. and the Direct Marketing Association.
As for the donations made after the initiative died, well, bills still had to be paid—and perhaps any interest in reviving the measure discouraged. The anti-initiative campaign spent $20,000 on a public relations firm, more than $37,000 on polling and research and nearly $33,000 on legal help from Nielsen Merksamer Parrinello Gross & Leoni.
California is pressing ahead with privacy rules for local law enforcement agencies’ use of drones. AB 1327 by Assemblyman Jeff Gorrell, R-Camarillo, would require police in most cases to obtain a warrant before buzzing suspects and their suspected locations. The warrant requirement wouldn’t apply in emergency situations where someone’s life is at stake.
AB 1327 would also require agencies to destroy most drone-recorded images within six months, and it would forbid authorities from attaching any weapons to the aircraft. The bill has faced opposition from civil liberties groups and law enforcement. But it passed easily in the Assembly on Jan. 29 on a 63-6 vote.
AB 1327 now heads to the Senate.
Contact the reporter at email@example.com.