Protecting your workers’ compensation records starts with understanding who can legally access them, how long they must be retained, and what steps you can take to limit exposure of your personal information. At minimum, you should know your state’s specific disclosure and retention rules, restrict medical record sharing to only what is directly relevant to your claim, and monitor your identity for signs of misuse — because workers’ comp files contain exactly the kind of data that fuels identity theft: Social Security numbers, medical histories, employment details, and home addresses.
The 2025 breach at the Workers’ Compensation Insurance Rating Bureau of California, where an unauthorized actor accessed a third-party Box.com system and exposed names, SSNs, medical records, and claim information for 2,766 individuals, is a concrete reminder that these records are actively targeted. This article covers the legal framework that governs who can see your records and under what conditions, the patchwork of federal and state retention requirements you need to navigate, your rights as a worker to limit disclosure, and the practical steps both employees and employers should take to keep this sensitive data secure. We will also walk through real-world breach scenarios and the fraud risks that make workers’ comp records particularly valuable to criminals.
Table of Contents
- What Legal Protections Exist for Workers’ Compensation Records?
- How Long Must Employers and Insurers Keep Your Records?
- The WCIRB California Breach: A Case Study in What Goes Wrong
- What Rights Do Workers Have Over Their Own Records?
- Fraud Risks: Why Workers’ Comp Records Are a High-Value Target
- Practical Steps Employers Should Take to Secure Claims Data
- Looking Ahead: The Regulatory Landscape Is Shifting
What Legal Protections Exist for Workers’ Compensation Records?
The legal landscape around workers’ comp privacy is more fragmented than most people realize. HIPAA — the federal law most Americans associate with medical privacy — does not directly regulate workers’ compensation insurers, administration agencies, or workers’ comp boards. However, when a healthcare provider (a HIPAA-covered entity) discloses your Protected Health Information for workers’ comp purposes, that disclosure is governed by the HIPAA Privacy Rule. Under 45 CFR Section 164.512(l), covered entities may disclose PHI without patient consent “as authorized by and to the extent necessary to comply with laws relating to workers’ compensation,” but the minimum necessary standard applies. That means only the information needed to accomplish the workers’ comp purpose should be shared — not your entire medical history. Because workers’ comp entities themselves fall outside federal HIPAA requirements, they must instead comply with state-specific data protection and breach notification laws.
This creates a significant gap: the insurer handling your claim may not be bound by the same privacy rules as the doctor who treated your injury. California addressed part of this problem with the Workers’ Compensation Medical records Disclosure Act, enacted in 2025, which permits employers and insurers to access medical records related to a claim without explicit consent but strictly limits disclosure to information reasonably necessary to process that claim. Companies that share medical information obtained through a claim with unauthorized parties face civil or criminal penalties. But California is one state — protections vary wildly elsewhere. The practical takeaway is that you cannot assume a single federal law has your back. Your records sit at the intersection of healthcare privacy law, employment law, and state-specific data protection statutes, and the protections depend heavily on which entity holds the data and where you live.
How Long Must Employers and Insurers Keep Your Records?
Record retention is another area where federal and state requirements overlap and sometimes conflict. At the federal level, OSHA requires businesses to retain workplace injury records for five years after the year to which they relate, under 29 CFR 1904 and 29 CFR 1910.1020. The ADA mandates that all employee medical records, including workers’ comp claims, be securely stored for three years after termination. These are floors, not ceilings — state law can and often does demand much longer retention. New York, for example, requires employers to retain injury and illness records for 18 years, regardless of whether the injury results in a formal claim. Failure to comply is a misdemeanor with penalties.
California requires claim files to be kept for five years from the date of injury or the date of last compensation benefit, whichever is later, and claims with awards for future benefits cannot be destroyed at all. For states that do not specify a retention period — including Colorado, Illinois, and Texas — the U.S. Chamber of Commerce’s Uniform Preservation of Private Business Records Act guideline recommends a default of three years. However, if your organization operates across multiple states, meeting the shortest requirement is not enough. Many employers choose to retain records for seven years as a safe baseline that covers most state and federal requirements. The tradeoff is clear: longer retention means more data sitting in storage that could be exposed in a breach, but destroying records too early can result in compliance violations and, in states like New York, criminal penalties. There is no one-size-fits-all answer, which is why a documented, jurisdiction-aware retention policy is not optional — it is a legal necessity.
The WCIRB California Breach: A Case Study in What Goes Wrong
In 2025, the Workers’ Compensation Insurance Rating Bureau of California suffered a data breach that illustrates exactly why these records demand serious protection. Between July 9 and September 18, 2025, an unauthorized actor accessed WCIRB’s third-party Box.com system. The breach was not a sophisticated zero-day exploit or a nation-state attack — it was unauthorized access to a cloud storage platform, the kind of vendor risk that organizations routinely underestimate. The exposed data included names, addresses, dates of birth, Social Security numbers, employment information, health information, medical records, and workers’ compensation claim information for 2,766 individuals.
That is a comprehensive identity theft package: enough to open credit accounts, file fraudulent tax returns, submit fake insurance claims, and more. WCIRB offered affected individuals free IDX identity theft protection with a one-million-dollar insurance reimbursement policy, with an enrollment deadline of January 27, 2026. The breach was reported to the California Attorney General’s office. This incident underscores a critical point: even organizations whose entire purpose is handling workers’ comp data can fail to protect it, especially when third-party vendors are involved. If you are an employer or insurer relying on cloud storage or external platforms for claims data, your security posture is only as strong as your weakest vendor’s.
What Rights Do Workers Have Over Their Own Records?
Workers have more control over their records than many realize, though exercising those rights requires knowing they exist. You are not obligated to share medical records unrelated to your workers’ compensation claim with your employer. If you have a back injury claim, your employer has no legitimate need to see records from a mental health provider or an unrelated surgical history. The minimum necessary standard that applies to HIPAA-covered entities should also guide what you voluntarily disclose. Prospective employers present a different scenario. A prospective employer cannot ask to see information about past workers’ compensation claims, and you cannot be compelled to authorize such access.
The New York Workers’ Compensation Board states this clearly: people authorized to see your claim information are prohibited from sharing it with unauthorized individuals. This matters during job searches, where applicants sometimes feel pressured to over-disclose. The comparison worth making is between what employers can legally request and what they actually request. In practice, some employers or their insurers cast a wide net, requesting broad medical authorizations that go well beyond what is needed for a specific claim. You have the right to push back, to limit authorizations to the specific body part, condition, or time period relevant to your claim. If an authorization form asks for access to “any and all medical records,” that is a red flag — not a legal requirement.
Fraud Risks: Why Workers’ Comp Records Are a High-Value Target
Workers’ compensation records are unusually valuable to criminals because they bundle together several categories of sensitive data that are typically siloed. A single claim file can contain a Social Security number, a home address, a date of birth, detailed medical information, employment history, and wage data. The FTC logged 6.47 million total consumer reports and more than 12 billion dollars in fraud losses for 2024, and workers’ comp records feed directly into the most damaging forms of identity theft. One specific fraud vector involves individuals assuming someone else’s identity to file workers’ comp claims using stolen personal information and medical history. This is not a theoretical risk — it is a documented pattern identified by ADP and other payroll and insurance providers.
The stolen identity is used to establish employment, fabricate an injury, and collect benefits, all while the real person may have no idea their information has been compromised until they encounter problems with their own benefits, credit, or tax filings. A limitation worth noting: traditional credit monitoring, while helpful, does not catch all forms of workers’ comp fraud. Credit monitoring will flag a new credit card opened in your name but will not alert you if someone files a fraudulent workers’ comp claim using your SSN and employment history. The IRS recommends Identity Protection PINs for the 2025 filing season to block fraudulent e-filings tied to stolen employment data, which is a useful but narrow layer of defense. Comprehensive protection requires monitoring across credit, employment, and benefits systems — not just one.
Practical Steps Employers Should Take to Secure Claims Data
Employers and carriers bear the primary responsibility for securing workers’ comp records, and the basics are straightforward even if execution is not. Records must be stored — whether physical or digital — in locations where only authorized users can access them. This means role-based access controls for digital systems, locked storage for paper files, and specific written policies for disposing of PHI when retention periods expire.
Shredding paper records and using certified data destruction for digital media are not best practices — they are baseline requirements. Beyond storage, organizations should use data analytics to identify anomalies, unusual claim patterns, or excessive billing that may indicate fraud, and conduct regular audits of workers’ comp policies, procedures, and records to identify irregularities. The tradeoff between thorough auditing and operational burden is real, but the cost of a breach — legal liability, regulatory penalties, identity theft protection for affected individuals, and reputational damage — dwarfs the cost of a competent compliance program.
Looking Ahead: The Regulatory Landscape Is Shifting
California’s 2025 Medical Records Disclosure Act signals a broader trend toward more explicit, enforceable rules around workers’ comp data. As breaches like the WCIRB incident draw public attention and as the FTC continues to report escalating fraud losses year over year, more states are likely to follow with legislation that narrows the gap between HIPAA-covered healthcare data and the workers’ comp records that currently exist in a regulatory gray zone. For both workers and employers, the direction of travel is clear: assume that the rules will get stricter, that the penalties for non-compliance will increase, and that the window for relying on vague or outdated policies is closing.