UCLA Health Cleared in Data Breach Lawsuit

The University of California Los Angeles Health System was cleared of liability in a lawsuit filed against it for the unauthorized disclosure of a patient’s medical records to a “romantic rival”.

The patient in question, Norma Lorenzo, filed a lawsuit against UCLA Health for disclosing her personal information to an unauthorized individual in 2012. Lorenzo filed the suit claiming emotional distress and an invasion of her privacy, and sought $1.25 million in damages.

The incident which sparked the lawsuit involved a temporary worker using the login credentials of a physician to access Lorenzo’s files. That individual then texted photos of the medical records to Lorenzo, her father and her former boyfriend. The information texted related to a sexually transmitted disease Lorenzo had received treatment for. The individual who accessed and disclosed the records was the current partner of one of Lorenzo’s former boyfriends.

While UCLA Health was not directly responsible for the breach of personal information, Lorenzo claimed in the lawsuit that UCLA Health had not taken sufficient steps to ensure patient data was secured. She claimed UCLA Health should have added a second layer of security in addition to login controls, prior to the unauthorized disclosure.

The second layer of security that Lorenzo refers to is a “break the glass” measure. This control would have required the access password to have been entered twice before access to the data was provided, and also the individual in question would have had to enter a reason for viewing the records before access would have been granted.

The lawsuit alleges the data breach would not have occurred if these controls had been put in place. However, in this instance it is debatable whether the additional security control would have prevented the data breach.

In recent months there have been a number of cases of employees improperly accessing the medical records of other patients or members of staff out of curiosity, as well as for financial gain. A number of lawsuits have been filed against HIPAA-covered entities that have “allowed” these improper disclosures to occur; however liability in these cases is difficult to determine.

What the courts must determine is whether a HIPAA-covered entity should have had more robust controls in place to prevent unauthorized access of data, whether under the circumstances that entity could realistically have prevented the data breach, and whether the actions, or lack of action, by the covered entity is “proximate cause”, or whether the healthcare provider’s actions or lack of controls led to the breach occurring.

UCLA Health claimed it cannot be held liable for a breach of information resulting from the misconduct of one employee; a viewpoint shared by the court, which cleared UCLA Health of liability for the data breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.