: Michigan : Privacy Law Blog

Home > Michigan >

Prying Eyes Make Headlines

Posted on August 18, 2008 by Proskauer Rose LLP

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential.

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

One employee, former administrative specialist Lawanda Jackson, has been indicted for obtaining individually identifiable health information for commercial advantage. Jackson allegedly sold information about Farrah Fawcett’s battle with cancer to a national media outlet.

According to an incident report by the California Department of Health Services, an unnamed celebrity patient informed the facility as early as 2004 that confidential information about his or her hospitalization had been published in a national newspaper.

The Los Angeles incident is not the only hospital snooping scandal currently making headlines. In Michigan, employees at Sparrow Hospital were disciplined for peeking at the medical records of Governor Jennifer Granholm when she was admitted in April 2008 for surgery. The hospital did not release any additional information about the incident, citing federal privacy law.

Companies that want to stay off the front page must ensure that personnel receive and are regularly trained regarding company policies and procedures governing the protection of personally identifiable information, and must consistently enforce those policies and procedures.

Tags: California, Medical Privacy, Michigan, celebrities, confidential information, data security breach, health care, personally identifying information

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

More Breach Notification Laws -- 42 States and Counting

Posted on April 7, 2008 by Proskauer Rose LLP

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).