DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UCLA Hospitals Sued Over Patient Data Breach

Posted on December 20, 2011 by Dissent

Amanda Bronstad reports that UCLA Health System was sued over a September breach revealed last month. The potential class action lawsuit, filed December 14, alleges violations of California’s Confidentiality of Medical Information Act, which provides for statutory damages of $1,000/per person. At over 16,000 patients, that could cost them $16.3 million plus legal fees and other breach-related costs.

The breach occurred September 6, when an encrypted hard drive was stolen during a home invasion. UCLA reported that although this information was encrypted, the password was written on a piece of paper near the hard drive and could not be located. The files on the drive did not include Social Security numbers or any financial information, but did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information.

Bronstad’s report includes an interesting piece of information, previously unknown to me:

The physician whose home was burglarized had not worked at UCLA since July.

Of course, that doesn’t mean that the physician had no need to still access those records, but it may raise other questions, such as what UCLA Health does to secure patient records when employees terminate. In this case, the drive was encrypted, and it may well be that the piece of paper with the encryption key was merely lost at some other time but went unnoticed until the burglary. The bigger concern I see is that four years’ worth of patient data were on an external drive off premises by someone no longer employed by the health system. Did UCLA know where all those data were?  Someone must have known since individual notification letters were sent, but the incident certainly should give us all pause to reflect on how many patients in this country have their data on external devices or portable devices that are outside the covered entities’ premises and that could be stolen or lost – without the covered entity ever finding out (or the patients, for that matter!). This doctor did the right thing by reporting the breach, but how would a hospital know if a former employee still retained data that were subsequently stolen?  They might not know.

And that is today’s scary thought of the day.

Related posts:

  • UCLA Health discloses network breach potentially affecting 4.5 million patients
  • UCLA Health System notifies 16,288 of stolen hard drive
  • UCLA Health notifying patients of stolen laptop containing personal health information; third breach report in as many months?
  • Small-Scale Violations of Medical Privacy Often Cause the Most Harm
Category: Health Data

Post navigation

← Fertile sperm donor draws criticism from FDA, docs
Atari and Square Enix cough to exposing users’ privates →

4 thoughts on “UCLA Hospitals Sued Over Patient Data Breach”

  1. Anonymous says:
    December 20, 2011 at 6:59 pm

    Hi, I wanted to leave a comment on another story… there I’m pretty certain that the number of 8.5 million should be 5.8 million. There are a bunch of other reports from earlier this year, not from this particular source, that reference the 5.8 million number. Let me know if you want more to correct that entry (I find this site is a very valuable archive! thanks!)

    1. Anonymous says:
      December 20, 2011 at 7:32 pm

      Hi Joe,

      Yes, if you have other references, please let me know and I will edit that archived story to correct the number. Thanks.

  2. Anonymous says:
    December 23, 2011 at 6:33 am

    Here are two stories that cite the 5.8 million figure… there are many more at the dutchnews.nl site.

    1. Anonymous says:
      December 23, 2011 at 8:05 am

      Thanks so much – will correct that post!

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.