UCLA Health Should Wake Up and Smell Too Many Data Breaches

Los Angeles, CAIt’s almost a joke. How many UCLA data breaches and lawsuits does it take for UCLA Health Systems to figure out how to properly store private medical information?

This isn’t the first time UCLA has been hacked and sued. Besides last month’s data breach and subsequent data breach class action, its patients’ personal information was stolen in September 2011 and a class action filed three months later, alleging the defendants failed to invest in adequate security or take basic steps such as data encryption. The lawsuit claimed this incident was a violation of the California Confidentiality of Medical Information Act, which is supposed to protect the privacy of patients’ personal histories and information. But the data breach lawsuit “failed to move forward,” according to the plaintiff’s attorney. Hospital officials (those who remained from a crackdown a few years earlier) said data was stolen from a physician’s external hard drive.

A number of UCLA hospital officials between 2005 and 2009 were caught and fired for reviewing unauthorized patient information, some of whom were celebrities, including Britney Spears and Farah Fawcett. And the Ronald Reagan UCLA Medical Center was fined by state regulators for allegedly breaching Michael Jackson’s records. At the time, UCLA said in a public statement that “patients’ privacy” is their primary concern, and that they are cooperating with investigators. Additionally, they contracted a data security firm to “work with the affected patients.”

Really?

In a press release regarding the July 2015 cyber attack, UCLA says it is offering free of charge identity protection services to potentially impacted individuals. According to its website, this service includes “Exclusive educational materials on protecting your identity including instructive articles, up-to-date information on new identity theft scams and tips for protecting yourself.” Perhaps UCLA should read up on how they should protect themselves first. As for ID Experts, the data security firm UCLA hired this time, let’s hope it wasn’t the same security firm that “worked with patients” almost a decade ago.

And how generous of UCLA to notify potentially affected individuals by US mail. Those individuals are expected to have received notice a few weeks after the breach occurred. And it also reminds potential victims that they can “obtain a free copy of your credit report once every 12 months by requesting your report online.” Of course you can get a report sooner, for a fee. And by the time you receive notice about the breach, chances are the damage has already been done.

Lastly, the UCLA website advises that you “also report a suspected incident of identity theft to the proper law enforcement authorities.” The latest UCLA data breach lawsuit (Ortiz v. UCLA Health System et al., case number BC589327, in the Superior Court of the State of California for the County of Los Angeles) alleges that, although the UCLA break-in happened in September or October 2014, patients weren’t told that their private data may have been stolen until July 2015.

You might want to consider filing a claim against UCLA. Perhaps this time a class-action data breach lawsuit will ensure that adequate security systems are finally put in place...