UCLA Health Data Breach Lawsuits Mount

The cyberattack that hit UCLA Health could potentially have been suffered by a large number of hospitals in the United States. Hackers are deliberately targeting healthcare providers, and their employees, to gain access to healthcare data. With the current barrage of ever more sophisticated attacks, it is only a matter of time before some succeed.

UCLA Health Invested Heavily in Cybersecurity Protections


Given the high risk of attack, hospital systems must invest in robust cybersecurity protections to ensure, as far as is possible and practical, that patient data is kept secure.

UCLA Health had recently committed tens of millions of dollars to improve cybersecurity defenses. In its announcement of the attack, it was pointed out that even with multi-million dollar defenses it was unable to prevent this cyberattack, although “millions of known hacker attempts [are repelled] each year,” and it is under “near-constant attack.”

Alleged Failures to Secure Protected Health Information of Patients


In spite of these protections, some patients do not believe UCLA did enough to secure its networks and keep patient data secure.

Two class-action lawsuits have now been filed against UCLA Health following the potential theft of 4.5 million patient records by hackers. The lawsuits allege UCLA Health did not do enough to protect the privacy of patients. Damages are being sought by the plaintiffs, along with demands for more robust security measures to be put in place.

UCLA Health Data Breach Lawsuits Mount


On July 29, Miguel Ortiz filed a complaint in a Los Angeles County Superior Court against UCLA Health, UCLA Medical Sciences, and the University of California’s Board of Regents, seeking damages for harm caused to him and his family as a result of the cyberattack. He also wants to make sure additional protections are put in place to safeguard patient data in the future.

In the lawsuit, Ortiz states that third party auditors should be used to conduct regular risk analyses along with internal security personnel, and he says all computer systems should be assessed on a periodic basis according to industry standard practices, to identify potential security risks.

Earlier in July, Michael Allen of Casper, Wyoming, filed a class-action against UCLA Health System stating ‘the failure to encrypt data constitutes unlawful business practices, breach of contract, unjust enrichment and negligence.’

That suit also claims UCLA Health had a lack of protection against hackers, specifically “failing to invest in adequate security and take basic steps to protect information.” The lawsuit also claims UCLA Health unnecessarily delayed the announcement of the data breach, waiting eight months to notify patients of the attack. UCLA Health has so far not commented on the lawsuits.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.