February 2, 2023

Volume XIII, Number 33


February 01, 2023

Subscribe to Latest Legal News and Analysis

January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

California Attorney General Issues Guidance on Health Data Privacy Issues

Citing “multiple unreported ramsomware attacks” targeting the healthcare sector, last month the California Attorney General (CA AG) issued guidance reminding healthcare entities of their requirements under state and federal health data privacy laws to implement adequate security measures and comply with breach notification requirements. Although the document does not provide any “new” guidance, it signals that the California AG is prioritizing breaches in the health care sector and serves as a reminder that entities subject to HIPAA are not exempt from California’s more stringent breach notification requirements.

In particular, the AG’s bulletin reminds Covered Entities under HIPAA that California state law imposes additional requirements, such as notice to the Attorney General when a breach impacts more than 500 people.  Although the generally applicable California data breach law exempts entities subject to HIPAA from California’s requirements regarding the content of breach notification letters, that law does not exempt Covered Entities or Business Associates from the AG notice provisions.  California also has other breach reporting requirements that are stricter than HIPAA, such as the California Department of Public Health’s 15-day deadline for “healthcare facilities” to report “medical information breaches” experienced by the facility or its business associates.

The AG’s bulletin recommends entities implement the following minimum preventive measures:

  • Keep all operating systems and software housing health data current with the latest security patches;

  • Install and maintain virus protection software;

  • Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;

  • Restrict users from downloading, installing, and running unapproved software; and

  • Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.

  • Other security safeguards required under other laws (such as HIPAA) and recommended in government publications (such as data security best practices available in the CISA Cyber Resource Hub).

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 292

About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...


Amber Mulcare is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice. Her experience spans a wide range of complex privacy, cybersecurity, technology and emerging company matters across an array of sectors.

Amber has assisted with various data breaches of information, including PII, PHI and CUI; coordinated multijurisdictional notifications, including state attorneys general and the FTC, when necessary; crafted internal and external communication for clients to deliver; and coordinated with forensic specialists and other consultants, as needed. She has also...

1 202 575 5616