DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UCLA Hospitals Sued Over Patient Data Breach

Posted on December 20, 2011 by Dissent

Amanda Bronstad reports that UCLA Health System was sued over a September breach revealed last month. The potential class action lawsuit, filed December 14, alleges violations of California’s Confidentiality of Medical Information Act, which provides for statutory damages of $1,000/per person. At over 16,000 patients, that could cost them $16.3 million plus legal fees and other breach-related costs.

The breach occurred September 6, when an encrypted hard drive was stolen during a home invasion. UCLA reported that although this information was encrypted, the password was written on a piece of paper near the hard drive and could not be located. The files on the drive did not include Social Security numbers or any financial information, but did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information.

Bronstad’s report includes an interesting piece of information, previously unknown to me:

The physician whose home was burglarized had not worked at UCLA since July.

Of course, that doesn’t mean that the physician had no need to still access those records, but it may raise other questions, such as what UCLA Health does to secure patient records when employees terminate. In this case, the drive was encrypted, and it may well be that the piece of paper with the encryption key was merely lost at some other time but went unnoticed until the burglary. The bigger concern I see is that four years’ worth of patient data were on an external drive off premises by someone no longer employed by the health system. Did UCLA know where all those data were?  Someone must have known since individual notification letters were sent, but the incident certainly should give us all pause to reflect on how many patients in this country have their data on external devices or portable devices that are outside the covered entities’ premises and that could be stolen or lost – without the covered entity ever finding out (or the patients, for that matter!). This doctor did the right thing by reporting the breach, but how would a hospital know if a former employee still retained data that were subsequently stolen?  They might not know.

And that is today’s scary thought of the day.

Related posts:

  • UCLA Health discloses network breach potentially affecting 4.5 million patients
  • UCLA Health System notifies 16,288 of stolen hard drive
Category: Health Data

Post navigation

← Fertile sperm donor draws criticism from FDA, docs
Atari and Square Enix cough to exposing users’ privates →

4 thoughts on “UCLA Hospitals Sued Over Patient Data Breach”

  1. Anonymous says:
    December 20, 2011 at 6:59 pm

    Hi, I wanted to leave a comment on another story… there I’m pretty certain that the number of 8.5 million should be 5.8 million. There are a bunch of other reports from earlier this year, not from this particular source, that reference the 5.8 million number. Let me know if you want more to correct that entry (I find this site is a very valuable archive! thanks!)

    1. Anonymous says:
      December 20, 2011 at 7:32 pm

      Hi Joe,

      Yes, if you have other references, please let me know and I will edit that archived story to correct the number. Thanks.

  2. Anonymous says:
    December 23, 2011 at 6:33 am

    Here are two stories that cite the 5.8 million figure… there are many more at the dutchnews.nl site.

    1. Anonymous says:
      December 23, 2011 at 8:05 am

      Thanks so much – will correct that post!

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Armenian National Extradited to the United States Faces Federal Charges for Ransomware Extortion Conspiracy
  • 70% of healthcare cyberattacks result in delayed patient care, report finds
  • Police disrupt “Diskstation” ransomware gang attacking NAS devices
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​
  • Fourth Circuit upholds West Virginia ban on abortion pills
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.