DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UCLA Hospitals Sued Over Patient Data Breach

Posted on December 20, 2011 by Dissent

Amanda Bronstad reports that UCLA Health System was sued over a September breach revealed last month. The potential class action lawsuit, filed December 14, alleges violations of California’s Confidentiality of Medical Information Act, which provides for statutory damages of $1,000/per person. At over 16,000 patients, that could cost them $16.3 million plus legal fees and other breach-related costs.

The breach occurred September 6, when an encrypted hard drive was stolen during a home invasion. UCLA reported that although this information was encrypted, the password was written on a piece of paper near the hard drive and could not be located. The files on the drive did not include Social Security numbers or any financial information, but did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information.

Bronstad’s report includes an interesting piece of information, previously unknown to me:

The physician whose home was burglarized had not worked at UCLA since July.

Of course, that doesn’t mean that the physician had no need to still access those records, but it may raise other questions, such as what UCLA Health does to secure patient records when employees terminate. In this case, the drive was encrypted, and it may well be that the piece of paper with the encryption key was merely lost at some other time but went unnoticed until the burglary. The bigger concern I see is that four years’ worth of patient data were on an external drive off premises by someone no longer employed by the health system. Did UCLA know where all those data were?  Someone must have known since individual notification letters were sent, but the incident certainly should give us all pause to reflect on how many patients in this country have their data on external devices or portable devices that are outside the covered entities’ premises and that could be stolen or lost – without the covered entity ever finding out (or the patients, for that matter!). This doctor did the right thing by reporting the breach, but how would a hospital know if a former employee still retained data that were subsequently stolen?  They might not know.

And that is today’s scary thought of the day.

Category: Health Data

Post navigation

← Fertile sperm donor draws criticism from FDA, docs
Atari and Square Enix cough to exposing users’ privates →

4 thoughts on “UCLA Hospitals Sued Over Patient Data Breach”

  1. Anonymous says:
    December 20, 2011 at 6:59 pm

    Hi, I wanted to leave a comment on another story… there I’m pretty certain that the number of 8.5 million should be 5.8 million. There are a bunch of other reports from earlier this year, not from this particular source, that reference the 5.8 million number. Let me know if you want more to correct that entry (I find this site is a very valuable archive! thanks!)

    1. Anonymous says:
      December 20, 2011 at 7:32 pm

      Hi Joe,

      Yes, if you have other references, please let me know and I will edit that archived story to correct the number. Thanks.

  2. Anonymous says:
    December 23, 2011 at 6:33 am

    Here are two stories that cite the 5.8 million figure… there are many more at the dutchnews.nl site.

    1. Anonymous says:
      December 23, 2011 at 8:05 am

      Thanks so much – will correct that post!

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Slapped wrists for Financial Conduct Authority staff who emailed work data home
  • School Districts Unaware BoardDocs Software Published Their Private Files
  • A guilty plea in the PowerSchool case still leaves unanswered questions
  • Brussels Parliament hit by cyber-attack
  • Sweden under cyberattack: Prime minister sounds the alarm
  • Former CIA Analyst Sentenced to Over Three Years in Prison for Unlawfully Transmitting Top Secret National Defense Information
  • FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters
  • Dutch police identify users on Cracked.io
  • Help, please: Seeking copies of the PowerSchool ransom email(s)
  • RCMP thumb drive with informant, witness data obtained by criminals: watchdog

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Meta AI app is a privacy disaster – TechCrunch
  • Apple fixes new iPhone zero-day bug used in Paragon spyware hacks
  • Norwegian Data Protection Authority’s findings on tracking pixels: 6 cases
  • Multiple States Enact Genetic Privacy Legislation in a Busy Start to 2025
  • Rules Proposed Under New Jersey Data Privacy Act
  • Using facial recognition? Three recent articles of interest.
  • India publishes consent management rules under Digital Personal Data Protection Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.