Amanda Bronstad reports that UCLA Health System was sued over a September breach revealed last month. The potential class action lawsuit, filed December 14, alleges violations of California’s Confidentiality of Medical Information Act, which provides for statutory damages of $1,000/per person. At over 16,000 patients, that could cost them $16.3 million plus legal fees and other breach-related costs.
The breach occurred September 6, when an encrypted hard drive was stolen during a home invasion. UCLA reported that although this information was encrypted, the password was written on a piece of paper near the hard drive and could not be located. The files on the drive did not include Social Security numbers or any financial information, but did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information.
Bronstad’s report includes an interesting piece of information, previously unknown to me:
The physician whose home was burglarized had not worked at UCLA since July.
Of course, that doesn’t mean that the physician had no need to still access those records, but it may raise other questions, such as what UCLA Health does to secure patient records when employees terminate. In this case, the drive was encrypted, and it may well be that the piece of paper with the encryption key was merely lost at some other time but went unnoticed until the burglary. The bigger concern I see is that four years’ worth of patient data were on an external drive off premises by someone no longer employed by the health system. Did UCLA know where all those data were? Someone must have known since individual notification letters were sent, but the incident certainly should give us all pause to reflect on how many patients in this country have their data on external devices or portable devices that are outside the covered entities’ premises and that could be stolen or lost – without the covered entity ever finding out (or the patients, for that matter!). This doctor did the right thing by reporting the breach, but how would a hospital know if a former employee still retained data that were subsequently stolen? They might not know.
And that is today’s scary thought of the day.
Hi, I wanted to leave a comment on another story… there I’m pretty certain that the number of 8.5 million should be 5.8 million. There are a bunch of other reports from earlier this year, not from this particular source, that reference the 5.8 million number. Let me know if you want more to correct that entry (I find this site is a very valuable archive! thanks!)
Hi Joe,
Yes, if you have other references, please let me know and I will edit that archived story to correct the number. Thanks.
Here are two stories that cite the 5.8 million figure… there are many more at the dutchnews.nl site.
Thanks so much – will correct that post!