Home > Regions > North America > Data Privacy and Network Security Alert: UCLA hospitals facing $16M class action for stolen patient information

Data Privacy and Network Security Alert: UCLA hospitals facing $16M class action for stolen patient information

The intervening criminal acts of burglars are unlikely to shield the University of California at Los Angeles (UCLA) Health System from liability underCalifornia’s Confidentiality of Medical Information Act (CMIA) for patient data breach.

The medical records of over 16,000 patients of the UCLA Health Systems were stolen from a former UCLA physician’s home in September 2011. The information was contained on an external hard drive taken by the burglars.   The patients were not notified until November 2011 of the incident. The patients’ medical records were encrypted, however, a piece of paper on which the password to access the records was written is also missing after the burglary.  Although Social Security numbers and financial information were not included on the hard drive, the stolen device did contain first and last names, addresses, birth dates, and medical record numbers and information.

A proposed class action suit was filed in California state court in December 2011 on behalf of a class comprised of all the UCLA Health System patients whose confidential medical information was stored on the hard drive.  The suit alleges that UCLA Health System violated the CMIA, which allows for each aggrieved patient to recover $1,000 in statutory damages per occurrence – resulting in at least $16M in potential liability for UCLA in statutory damages alone.  The CMIA provides that healthcare providers must take extra precautions to protect patients’ personal and confidentialinformation.  “The statute was designed to tell and instruct medical providers, ‘You’ve got a heightened standard,’” said plaintiffs’ counsel.  The importance of securing patient data should not come as a surprise to UCLA, which agreed in July 2011 to pay $865,000 to settle an investigation brought by the U.S. Department of Health and Human Services’ Office for Civil Rights after employees illegally accessed the confidential medical records of celebrity patients, including Britney Spears and the late Farrah Fawcett.

The UCLA breach illustrates how critical it is for healthcare providers to proactively institute internal safeguards and policies to secure personal health information, including properly instructing employees on the ramifications for inadequately protecting this data.  Such policies should be a part of a comprehensive data security plan, which must also ensure compliance with new and rapidly changing state and federal data security laws.  The UCLA breach is, after all, just the latest example of insufficient data security being a source of great liability. The U.S. Department of Health and Human Services has reported more than 370 major medical-information breaches since 2009 alone.

If you have any questions, contact:

James J. Giszczak

Dominic A. Paluzzi

Sean T. O’Brien

or any of our Data Privacy and Network Security attorneys by clicking on the link below:

Data Privacy and Network Security

McDonald Hopkins counsels businesses and organizations regarding all aspects of data privacy and network security, including proactive compliance with the numerous state, federal and private data security regulations (including PCI DSS and HITECH) relative to personal information and protected health information, training of employees and preventative measures to decrease the risk of data theft. We also counsel businesses and organizations through the data breach response process and coordinate notifications to affected individuals and state attorneys general, as well as advising on media related issues. Our attorneys can help you properly assess your risks to ensure compliance. After you complete the brief McDonald Hopkins Data Privacy and Network Security Review, your company will be provided with an assessment of the required areas of compliance which have the greatest need of attention and improvement.

Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114
Fax: 312.280.8232
Fax: 216.348.5474
Fax: 614.458.0028
Fax: 248.646.5075
Fax: 1.305.704.3999
West Palm Beach
Fax: 561.472.2122
IRS CIRCULAR 230 DISCLOSURE: To ensure compliance with requirements imposed by the Internal Revenue Service, we inform you that any tax advice contained in this communication (including any attachments), was not intended or written to be used, and cannot be used, by any taxpayer for the purpose of (1) avoiding any penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another party any transaction matter addressed herein.

© 2012 McDonald Hopkins LLC All Rights Reserved. This Alert is designed to provide current information for our clients, friends and their advisors regarding important legal developments. The foregoing discussion is general information rather than specific legal advice. Because it is necessary to apply legal principles to specific facts, always consult your legal advisor before using this discussion as a basis for a specific action.