UCLA Health Patient Receives 9 Incorrect Breach Notification Letters

The UCLA Health cybersecurity attack exposed the data of 4.5 million patients, most of whom have been informed if they have been affected by the breach; however it took a considerable amount of time for patients to receive their breach notification letters, and for one victim in particular, the notification process ran anything but smoothly.

According to a recent LA Times report, UCLA Health patient, Steve Reasner, was kept in the dark about the risk of identity risk that he faced, and it took many weeks since his data was exposed to learn he had been affected.

After hearing about the data breach on the news, Reasner wondered if his information was now in the hands of the hackers. He had previously used UCLA Health services and could conceivably have had his confidential data stolen.

He waited for a letter to arrive in the mail, and a few days later he received not one breach notification letter but nine. To add to his confusion, none of the letters were addressed to him. They had his address on the envelope, but the names of different individuals who had – presumably – also received medical services from UCLA Health.

Reasner called the helpline set up by UCLA Health to assist breach victims to ask if he had been affected. He alleges he was told he wasn’t. The telephone operator told him that his data was not among the batch that had been accessed in the cyberattack. However, he was not convinced. He said he was told “All of our doctors are at UCLA,” but Reasner told the LA Times, “I knew for sure that was an incorrect statement.”

Two weeks after that phone call was made, UCLA Health sent another breach notification letter, this time addressed to him, in which he was informed his data had in fact been exposed as a result of the cyberattack. It is not clear at this stage whether the mailing error was an isolated incident – a failure of a family to update UCLA Health they had moved house for example – or errors made at UCLA Health. For Reasner, the error adds insult to injury.

The Importance of Having Tried and Tested Breach Response Policies


After suffering a data breach, immediate action must be taken to minimize the damage caused. Law enforcement agencies must be notified, access to data must be terminated as far as is possible and action taken to prevent similar attacks from taking place. The extent of the breach must also be determined and the victims identified.

The notification period for informing healthcare data breach victims of the exposure of Protected Health Information is 60 days from the discovery of the breach. However, breach notices should be sent as soon as possible to ensure patients can take action of their own to mitigate risk. HIPAA requires covered entities to send breach notices to patients “without unreasonable delay”. Delays to the breach notification process, and errors caused during that process, can increase the risk of harm being suffered by the victims.

To ensure a fast response is possible, it is essential that a tried and tested breach response plan is in place; that all members of the breach response team are aware of their responsibilities; the necessary resources can be rapidly deployed, and the breach response process managed and efficiently executed. If policies are not tested and regularly checked, there is no way of knowing if they will work in practice.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.