CHA News

State Attorney General Calls for Full Compliance with Health Data Privacy Laws

For privacy officers, legal counsel, licensing & certification staff

This post has been archived and contains information that may be out of date.

On Aug. 24, California Attorney General Rob Bonta issued guidance to health care facilities and providers reminding them of their obligation to comply with state and federal health data privacy laws.  

In a bulletin sent to stakeholder organizations, including CHA, the California Medical Association, and the California Dental Association, the attorney general reminded health care entities that they must notify the California Department of Justice (DOJ) when the health data of more than 500 California residents has been breached. The attorney general believes that there have been multiple unreported ransomware attacks against California health care facilities recently.

California law (Civil Code section 1798.82) requires entities that have suffered a data breach, including a health data breach, affecting more than 500 California residents to submit a breach report to the Office of the Attorney General. When health care providers notify the attorney general of these breaches, the DOJ advises the public of the breach through the attorney general’s website. The attorney general’s guidance also outlined some steps health care entities can take to protect against ransomware attacks.