Patients’ Rights After a Medical Data Breach in California

Patients have rights over how their medical data is shared and stored. In California, patients have the right to keep their medical records private. A data breach violates this right and puts patients at risk for fraud or identity theft.

Healthcare professionals have a duty to keep medical records protected. Facilities should have access controls, encryption, and other safeguards in place to ensure medical data stays safe. This doesn’t always happen. When medical data is breached, patients have rights.

If you’ve suffered a medical data breach in California, contact McNicholas & McNicholas, LLP for a free consultation to learn more about your legal options.

What is a data breach?

A data breach occurs when personal or confidential information is accessed without authorization. A breach can happen through:

• Cyberattacks
• Malware
• Phishing
• Insider theft
• System vulnerabilities

Data breaches can happen to any healthcare company for various reasons. These may include a lack of proper encryption or safety measures.

How common are data breaches in California?

In 2024, there were over 328 million individual records breached in the US. Another study found that 22.6 million records were exposed in California, making California the state with the second-highest number of records exposed.

What legal rights do patients have?

In California, patients have certain rights regarding their medical data. These include:

• A right to be told how healthcare professionals use private information.
• A right to request limits on who gets to see the personal health information.
• A right to know to whom information has been disclosed.
• A right to limit certain marketing communications involving their health information.
• A right to correct medical information.
• A right to file a complaint.
• A right to bring a lawsuit to recover damages in some cases involving violations of state health information privacy laws.

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) says people have a right to know what information is collected, how it is used, and how it is shared. It also allows people to delete information and opt out of sharing or selling information. The CCPA states people cannot be discriminated against for exercising their rights under the act.

Most protected health information is exempt because it is covered under HIPAA or California’s Confidentiality of Medical Information Act.

What is the Confidentiality of Medical Information Act?

The Confidentiality of Medical Information Act (CMIA) is a law that adds additional layers of protection to federal laws (HIPAA) regarding medical data. It includes protections such as:

• Prohibiting healthcare facilities from sharing information without authorization, except as specified by law.
• Ensuring confidentiality during the destruction of medical records.
• Allowing legal action against a person or entity that negligently releases confidential medical information, including nominal damages of $1,000 per violation, even without proof of actual harm in some cases.
• Allowing for administrative fines for each violation.

Common types of data stolen in breaches

Several types of data may be accessed without authorization during a breach. Stolen data commonly includes:

• Names
• Addresses
• Medical conditions
• Health insurance information
• Social Security number
• Driver’s license number
• Credit or debit card information
• Portal passwords
• Military ID number
• Biometric data
• Passport information
• Tax ID number
• Email addresses
• Phone numbers

Healthcare provider obligations after a data breach

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires facilities to notify individuals of breaches involving unsecured data. Notices may be submitted by postal mail or email, depending on the preferences set by the patient. Notices must be sent without unreasonable delay and within 60 days of the discovery of the breach.

For healthcare facilities that have insufficient or outdated contact information for 10 or more individuals, a notice must be published on the facility’s website for at least 90 days. Facilities may also place a notice in broadcast or print media for breaches impacting 500 or more individuals.

Covered entities must also implement administrative safeguards to reduce the risk of future breaches.

Impact of a medical data breach

A medical data breach has a lasting impact on patients. Not only is their sensitive data compromised, but they may also lose trust in the health system. The most significant consequences of a medical data breach include:

Identity theft

The most common impact of a breach is identity theft. With stolen information, people can open accounts, take out credit cards, and commit other crimes in the victim’s name.

In California, there may be recoverable damages depending on the impact of the identity theft. An experienced attorney can help victims understand their rights and legal options after a medical data breach.

Medical fraud

A medical data breach can lead to someone receiving medical treatment or medications under another person’s identity. This is considered medical fraud and can lead to falsified or corrupted medical records. It could also lead to significant financial distress if someone racks up medical bills in someone’s name.

Emotional distress

A medical data breach may lead to emotional distress for patients. Victims may lose trust in the health system or be scared to seek medical treatment. For breaches that result in fraud or identity theft, individuals may suffer from financial and mental distress due to the stress of the situation.

Individuals who suffer emotional distress due to a medical data breach should speak to a data breach litigation attorney to understand what legal options are available.

How can a data breach litigation attorney help clients?

A knowledgeable data breach litigation attorney helps their clients throughout the litigation process. They serve as an advocate or representative while fighting for their client’s rights.

Contact McNicholas & McNicholas, LLP, today for a free consultation

A data breach can be devastating for the impacted person. Victims may face emotional or financial distress, identity theft, or medical fraud. If your medical data was compromised in a breach, we recommend you speak to an experienced attorney. At McNicholas & McNicholas, LLP, our team has experience helping those dealing with the fallout of a medical data breach. Complete this form or call us to request a free consultation.