Attorney General Rob Bonta Calls for Full Compliance with State Health Data Privacy Laws

Tuesday, August 24, 2021
Contact: (916) 210-6000,

Reminds healthcare providers to report data breaches to the California Department of Justice and to be vigilant about reducing the risk of ransomware attacks

OAKLAND – California Attorney General Rob Bonta issued guidance today to healthcare facilities and providers reminding them of their obligation to comply with state and federal health data privacy laws. In a bulletin sent to stakeholder organizations, including the California Hospital Association, the California Medical Association, and the California Dental Association, the Attorney General reminded healthcare entities that they must notify the California Department of Justice (DOJ) when the health data of more than 500 California residents has been breached. Today’s bulletin comes on the heels of multiple unreported ransomware attacks against California healthcare facilities

“Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats,” said Attorney General Bonta. “California law mandates that data breaches impacting more than 500 of our residents be reported to the California Department of Justice. In addition, I implore all entities that house confidential health-related information to be vigilant and take steps now to protect patient data, before a potential cyberattack.”

The healthcare sector has been a main target of multiple cyberattacks. Last year, the U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the U.S. Department of Health and Human Services released a joint report that stated the agencies had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." These cyber attackers often introduce malware, including ransomware into a computer system to render health data files and systems useless and hold the data hostage in exchange for a ransom. When the breaches of data involve Social Security numbers, health records, or other sensitive information, they threaten the privacy, security, and economic wellbeing of impacted Californians. They also disrupt the ability of providers to provide care and erode patient trust.

California law (Civil Code section 1798.82) requires entities that have suffered a data breach, including a health data breach, affecting more than 500 California residents to submit a breach report to the Office of the Attorney General. When healthcare providers notify the Attorney General of these breaches, the DOJ advises the public of the breach through the Attorney General’s website:

In today’s bulletin, Attorney General Bonta also urged healthcare entities to take the following proactive steps, at minimum, to protect patient data from potential ransomware attacks:

  • Keep all operating systems and software housing health data current with the latest security patches;
  • Install and maintain virus protection software;
  • Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
  • Restrict users from downloading, installing, and running unapproved software; and
  • Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident. 

A copy of the bulletin is available here.

# # #