Reporting data breaches can be a lot like walking on egg shells for organizations.
On one hand, you want to put your customers and people first and make sure they are fully aware of a cyber incident, especially if any of their personal information has been compromised.
On the other hand, publicly admitting to a data breach can create serious blowback for the organization and perhaps damage both reputation and earnings.
For the healthcare industry, this became more complicated amidst the pandemic. And apparently, many of them are not reporting data breaches they are required to report.
This is based on recent actions of California Attorney General Rob Bonta.
State Attorney General Bonta recently issued guidance to healthcare services and providers, reminding them they must comply with state and federal health data privacy laws, which includes reporting data breaches.
He notes that his message comes following multiple unreported ransomware attacks against California healthcare facilities:
"Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats. California law mandates that data breaches impacting more than 500 of our residents be reported to the California Department of Justice. In addition, I implore all entities that house confidential health-related information to be vigilant and take steps now to protect patient data, before a potential cyberattack."
Bonta also urges healthcare organizations to take the following steps to protect patient data:
Earlier this year, BlackBerry was faced with the difficult decision of going public with a newly discovered vulnerability.
The vulnerability, known as BadAlloc, was found in the company's QNX operating system. That operating system is used in over 195 million vehicles worldwide and spans multiple industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics.
Knowing how costly it could be to publicly admit to the discovery of this vulnerability, BlackBerry attempted to privately mitigate the situation with its customers. But that didn't work out so well.
Eventually, U.S. CISA convinced the company to go public, though this was months after other organizations with the same BadAlloc vulnerability had done so.
Now, California hospitals and clinics are also on notice that they must report most cyberattacks or risk finding themselves out of compliance with state law.
[RESOURCE: See the upcoming schedule of SecureWorld educational webcasts]