California Attorney General Kamala Harris. Photo by John Schreiber.
California Attorney General Kamala Harris. Photo by John Schreiber.

An unencrypted flash drive containing patient data that went missing from Anaheim Medical Center was among 167 data breaches reported to the Attorney General’s Office last year, according to a statewide report on cyber-security issued Tuesday.

The data breaches reported to the AG’s office in 2013 impacted 18.5 million Californians by putting their personal information at risk, Attorney General Kamala Harris said.

“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers,” Harris said. “The fight against these kind of cybercrimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses. I strongly encourage more use of encryption to significantly reduce the risk of data breaches.”

Under California law, companies must report breaches to the Attorney General’s Office if more than 500 consumers have been affected, regardless of whether a breach was malicious or unintentional.

The number of reported data breaches last year increased by 28 percent, from 131 in 2012 to 167 in 2013. The increase was largely due to two massive retailer breaches at Target and LivingSocial, each of which put the personal information of roughly 7.5 million Californians at risk, according to the state.

More than half of the 2013 breaches were caused by computer intrusions, such as malware and hacking, according to the state report. The remaining breaches resulted from physical loss or theft of laptops or other devices containing unencrypted personal information, unintentional errors and intentional misuse.

Harris said there is a need in every sector of the economy to adapt preventive technology, such as data encryption, to protect consumers and retailers from theft.

“The less we protect ourselves, the more (our information) is a treasure trove for predators,” she said.

The report also contains the names of organizations that were breached, including Anthem Blue Cross, California Department of Public Health, American Express, Discover Financial Services, Anaheim Medical Center and the Los Angeles LGBT Center.

The report includes specific tips and recommendations to reduce the frequency and impact of future breaches.

Harris urged consumers to regularly monitor credit and debit card accounts for suspicious transactions and notify the card-issuing bank of any discrepancies, and suggested asking the bank for online monitoring and alerts on card accounts.

She said that if a data breach notice says a health insurance or health plan number was involved, consumers should contact the insurer or plan and ask them to note the breach in their records and to flag the account number. If a data breach notice involves a password or user ID, both should be changed for that account and any other accounts containing the same information.

As for retailers, the AG recommended that point-of-sale terminals be updated so they are chip-enabled with the necessary software. She also urged store owners to implement encryption solutions to devalue payment card data, including encrypting the data from the point of capture until completion of transaction authorization.

“We want to make credit card information less valuable to the thief,” Harris said.

Harris also said retailers must respond promptly to payment card data breaches that occur in their computer systems and improve their notification process.

The health care industry should implement the strongest encryption technology available to protect medical information on laptops and on other portable devices, and consider encryption for desktop computers, Harris said.

“There is software widely available to do just that,” she said.

In addition, Harris said the Legislature should consider laws revising the breach notice law in order to strengthen the consumer notification procedure; clarify the roles and responsibilities of data owners and data maintainers; and require a final breach report to the Attorney General’s Office.

She added that lawmakers should consider legislation to provide “small grants” to support system upgrades for some retailers.

— City News Service

Leave a comment

Your email address will not be published.