The California Attorney General ('AG'), Rob Bonta, announced, on 24 August 2021, that he had sent a bulletin to healthcare facilities and providers reminding them of their obligation to comply with state and federal health data privacy and security laws. In particular, the AG explained that, after multiple unreported ransomware attacks against California healthcare facilities, he decided to remind healthcare entities that they must notify the California Department of Justice ('DOJ') when the health data of more than 500 California residents has been breached.

In addition, the AG highlighted that the healthcare sector has been a main target of multiple cyber attacks recently, and that when the data breach involves health records or other sensitive information, it threatens the privacy, security, and economic wellbeing of impacted Californians. 

Lastly, the bulletin urges healthcare entities to take the following proactive steps, at minimum, to protect patient data from potential ransomware attacks:

• keep all operating systems and software housing health data current with the latest security patches;
• install and maintain virus protection software;
• provide regular data security training and education for staff members;
• restrict users from downloading, installing, and running unapproved software; and
• maintain and regularly test a data backup and recovery plan for all critical information.

You can read the press release here and the bulletin here.