DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UCLA Hospitals Sued Over Patient Data Breach

Posted on December 20, 2011 by Dissent

Amanda Bronstad reports that UCLA Health System was sued over a September breach revealed last month. The potential class action lawsuit, filed December 14, alleges violations of California’s Confidentiality of Medical Information Act, which provides for statutory damages of $1,000/per person. At over 16,000 patients, that could cost them $16.3 million plus legal fees and other breach-related costs.

The breach occurred September 6, when an encrypted hard drive was stolen during a home invasion. UCLA reported that although this information was encrypted, the password was written on a piece of paper near the hard drive and could not be located. The files on the drive did not include Social Security numbers or any financial information, but did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information.

Bronstad’s report includes an interesting piece of information, previously unknown to me:

The physician whose home was burglarized had not worked at UCLA since July.

Of course, that doesn’t mean that the physician had no need to still access those records, but it may raise other questions, such as what UCLA Health does to secure patient records when employees terminate. In this case, the drive was encrypted, and it may well be that the piece of paper with the encryption key was merely lost at some other time but went unnoticed until the burglary. The bigger concern I see is that four years’ worth of patient data were on an external drive off premises by someone no longer employed by the health system. Did UCLA know where all those data were?  Someone must have known since individual notification letters were sent, but the incident certainly should give us all pause to reflect on how many patients in this country have their data on external devices or portable devices that are outside the covered entities’ premises and that could be stolen or lost – without the covered entity ever finding out (or the patients, for that matter!). This doctor did the right thing by reporting the breach, but how would a hospital know if a former employee still retained data that were subsequently stolen?  They might not know.

And that is today’s scary thought of the day.

Category: Health Data

Post navigation

← Fertile sperm donor draws criticism from FDA, docs
Atari and Square Enix cough to exposing users’ privates →

4 thoughts on “UCLA Hospitals Sued Over Patient Data Breach”

  1. Anonymous says:
    December 20, 2011 at 6:59 pm

    Hi, I wanted to leave a comment on another story… there I’m pretty certain that the number of 8.5 million should be 5.8 million. There are a bunch of other reports from earlier this year, not from this particular source, that reference the 5.8 million number. Let me know if you want more to correct that entry (I find this site is a very valuable archive! thanks!)

    1. Anonymous says:
      December 20, 2011 at 7:32 pm

      Hi Joe,

      Yes, if you have other references, please let me know and I will edit that archived story to correct the number. Thanks.

  2. Anonymous says:
    December 23, 2011 at 6:33 am

    Here are two stories that cite the 5.8 million figure… there are many more at the dutchnews.nl site.

    1. Anonymous says:
      December 23, 2011 at 8:05 am

      Thanks so much – will correct that post!

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.