UCLA Faces Class Action Lawsuit Over Health Data Breach

UCLA Health Data Breach Class Action Lawsuit

A class action lawsuit was filed on Monday over a UCLA Health System data breach which compromised personal health information of 4.5 million UCLA patients.

by
July 22, 2015

UCLA Health System is facing a class action lawsuit in federal court after 4.5 million patients’ records were jeopardized in a recent cyber-attack.

The information affected included names, addresses, birthdates, Social Security numbers, insurance information, and personal data related to patients’ illnesses, medications and treatment.

The complaint, filed by plaintiff Michael Allen in the Central District of California, alleges that the hospital network failed to take the “basic steps” necessary to safeguard patient information, and claims that UCLA violated its contracts by allowing the attack to occur.

“Due to [UCLA’s] failure to take the basic steps of encrypting patients’ data,” it argues, “it was much easier for cyber thieves to interpret the information, use it to steal the identities of defendants’ patients, or sell to others who would use defendants’ patients’ personal and health information.”

The complaint also denounces UCLA Health for failing to notify affected patients quickly or deal with the breach expeditiously.

Although the breach apparently occurred sometime around September 2014, suspicious activity was not discovered or investigated until October, and the breach was not firmly identified until May 5, 2015.

Although UCLA has said they are “sending letters to affected individuals with details on how to access the identity theft and restoration services,” most individual patients have still not been notified as to whether their personal information was stolen.

Mr. Allen claims that he was personally affected by the breach after making several visits to a UCLA Health facility sometime in early 2013. As such, he is part of the group of patients whose information would have been exposed by the hack.

His complaint alleges nine total causes of action, including negligence, breach of contract, invasion of privacy, violations of the Confidentiality of Medical Information Act (“CMIA”), and several statutory violations, among others.

Although UCLA Health has said that there “is no evidence that the attacker actually accessed or acquired the personal or medical information maintained on the impacted parts of the UCLA Health network,” that was not enough to stop Mr. Allen from filing suit.

Nor was Mr. Allen placated by UCLA’s offer to give “all potentially affected individuals 12 months of identity theft recovery and restoration services as well as additional health care identity protection tools.”

Instead, he’s asking for monetary damages, a declaration that UCLA violated the law, and injunctive relief that would force UCLA Health to change its record keeping practices.

If successful, UCLA Health could be facing a hefty judgment.

Every violation of the CMIA entitles each class member to $1,000 in statutory damages, plus an additional $3,000 in punitive damages, while violations of the California’s Business & Professions Code—which were also alleged—may entitle class members as much as $1,000 per violation.

Because of the money at stake, and because it’s still not clear what data hackers actually gained access to, expect UCLA to fight this lawsuit vigorously.

In the meantime, UCLA has said that, in response to the attack, it has “engaged the services of leading cyber-surveillance and security firms, which are actively monitoring and protecting our network” and that is has “also expanded [its] internal security team.”

Facebooktwitterredditpinterestlinkedinmail