The intervening criminal acts of burglars are unlikely to shield the University of California at Los Angeles (UCLA) Health System from liability underCalifornia’s Confidentiality of Medical Information Act (CMIA) for patient data breach.
The medical records of over 16,000 patients of the UCLA Health Systems were stolen from a former UCLA physician’s home in September 2011. The information was contained on an external hard drive taken by the burglars. The patients were not notified until November 2011 of the incident. The patients’ medical records were encrypted, however, a piece of paper on which the password to access the records was written is also missing after the burglary. Although Social Security numbers and financial information were not included on the hard drive, the stolen device did contain first and last names, addresses, birth dates, and medical record numbers and information.