Since passage of the federal (stimulus) package, which includes provisions requiring prompt public reporting of breaches, the government has received notice of 306 cases from September 2009 to June 2011 that (affected) at least 500 people apiece. A recent report to Congress tallied 30,000 smaller breaches from September 2009 to December 2010, affecting more than 72,000 people.
The major breaches — a (disconcerting) log of stolen laptops, hacked networks, unencrypted records, (misdirected) mailings, missing files and wayward e-mails — took place in 44 states.
One occurred at the Lucile Packard Children’s Hospital at Stanford in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised.
But the California Department of Public Health fined the hospital $250,000, the maximum allowed, for failing to report the breach within five days of discovery, as is required under state law. The hospital appealed the fine, and a (settlement) has been reached but not yet disclosed, a department spokesman said.