Class Action Filed Against UCLA for 4.5 Million-Record Data Breach

It has been less than a week since the announcement that the patient database at UCLA Health Systems was hacked, and already a class action lawsuit has been filed by one patient, Michael Allen of Casper, Wyoming, on behalf of “several million individuals”.

Allen, represented by Kevin Mahoney of Long Beach, claims UCLA Health Systems’ failure to encrypt data constitutes unlawful business practices, breach of contract, unjust enrichment and negligence. He is seeking class certification and as of yet unspecified damages for fraud, violation of medical confidentiality, an invasion of privacy and the costs of filing the lawsuit.

UCLA hospitals and the University of California Board of Regents were named in the lawsuit which was filed on Monday of this week. The breach was announced on July 17, barely one business day before the lawsuit was filed.

In the lawsuit, Allen claims the lack of data protection, specifically the lack of data encryption, amounted to negligence. “Due to defendants’ failure to take the basic steps of encrypting patients’ data, it was much easier for cyber thieves to interpret the information, use it to steal the identities of defendants’ patients or sell to others” Allen said in the lawsuit.

Allen, received medical treatment in February 2013, a year before hackers gained access to patient data. His name, address, date of birth, Social Security number, health insurance information, Medicare number and health information were allegedly s0tolen by hackers.

UCLA Health noticed some “suspicious network activity” in October 2014, although it is understood that access was first gained to at least one of its servers a month earlier. An investigation was conducted, and the matter was reported to the FBI. However, on May 5th, UCLA Health discovered its patient database had also been compromised and 4.5 million patient records had potentially been stolen.

It took until July 17, 2015 for breach notification letters to start being issued to patients, 9 months after the “suspicious network activity” was discovered, and 10 weeks after PHI was found to have been compromised. According to Allen, the process of notifying affected patients is far from over. The lawsuit says, “Underscoring its dilatory response, defendants are still delaying notifying individual consumers affected by the breach.”

In addition to the class action lawsuit, it is probable that the data breach will result in a financial penalty being issued by the Department of Health and Human Services’ Office for Civil Rights for potential HIPAA violations. The OCR investigates all data breaches involving more than 500 individuals to determine whether the data breach could have realistically been prevented, and whether the covered entity contributed to the cause of the breach by failing to implement appropriate controls to keep the data secure.

HIPAA does not require data at rest to be encrypted – data encryption is only an addressable issue – however the breach notice period does appear to have been exceeded. HIPAA requires covered entities to notify individuals affected by a data breach within 60 days of the discovery of a data breach. HIPAA also states that the issuing of a breach notice should not be “delayed unnecessarily”.

The OCR can issue fines of up to $1.5 million per violation category, per year that the violation was allowed to persist. Even if the lawsuit does not prove to be successful, UCLA Health is going to have to cover huge costs to mitigate risk and deal with the fallout from the data breach. Should the suit be successful, the costs will be considerably higher. Typically data breach class-action lawsuits seek damages of $1,000 per victim.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.