The following article by Amanda Bronstad published in The National Law Journal highlights the problems many professionals face today with data backup and security. Ask yourself: "Do we currently have storage off-site? Do we know where that information is at all times and how long it should be there?" If you have questions, call D1 Solutions at 303-422-3621 and ask about our AES Secured Colorado stored services.

UCLA Hospitals Sued Over Patient Data Breach

Amanda Bronstad, The National Law Journal

December 20, 2011


The University of California at Los Angeles Health System has been sued for violating California law after burglars took the medical records and other personal information belonging to nearly 16,000 patients from a former physician's home.

The suit, filed as a proposed class action on Dec. 14, alleges that by not protecting its patients' confidential information, the hospital system violated California's Confidentiality of Medical Information Act. The law allows each patient to recover $1,000 in statutory damages per occurrence.

Brian Kabateck of Kabateck Brown Kellner in Los Angeles, who filed the suit along with The Ball Law Firm, also of Los Angeles, estimated that the case involved damages of more than $16 million.

"Our argument is, at this point, why in the world did this doctor have this in the first place? Why was he carrying it around? Why did he take it home?" Kabateck said. "The statue was designed specifically to tell and instruct medical providers. 'You've got a heightened standard. You've got to do more than treat it like information at a company that sells copy machines.' It's not a customer list. It's critical confidential patient information."

Health system spokeswoman Rachel Champeau declined to comment on pending litigation.

UCLA Health System operates the Ronald Reagan UCLA Medical Center, Santa Monica-UCLA Medical Center and Orthopaedic Hospital, Resnick Neuropsychiatric Hospital at UCLA, Mattel Children's Hospital UCLA, and UCLA Medical Group.

The U.S. Department of Health and Human Services has reported more than 370 major medical-information breaches since 2009, prompting the department to propose a rule that would let patients obtain reports about who had accessed their electronic medical records in the past three years.

The UCLA burglary took place on Sept. 6. On Nov. 4, UCLA notified the public that burglars had stolen an external computer hard drive that contained personal information of 16,288 patients who sought medical care at one of its hospitals from July 2007 through July. The password to access the encrypted data, written on a piece of paper, also could not be located.

UCLA said that no Social Security numbers or financial information was included in the documents that were stolen. They did, however, include first and last names, birth dates, addresses, and medical record numbers and information, but not the medical records themselves. UCLA hired Kroll, a data security firm, to assist patients who might have been affected, and reported the incident to the U.S. Department of Health and Human Services' Office for Civil Rights.

In July, UCLA agreed to pay $865,500 to settle an investigation brought by that office into security and privacy violations between 2005 and 2008. Hospital employees were fired and, in at least in one case, pleaded guilty to illegally accessing the confidential medical records of celebrities, including Britney Spears and the late Farrah Fawcett.

"The UCLA Health System considers patient confidentiality a critical part of its mission of providing the highest level of teaching, research and patient care," UCLA said at the time in a prepared statement. "UCLA's concern for its patients is absolute, and we deeply regret any breach of patient confidentiality and the stress and concern it might cause our patients."

The physician whose home was burglarized had not worked at UCLA since July.

The suit, filed in Los Angeles County, Calif., Superior Court, said the physician worked at UCLA Faculty Practice Group, which treats patients at UCLA's outpatient clinics and four hospitals. The suit, brought by a woman who went to Ronald Reagan center at least five times from April 2011 to June 2011, was filed on behalf of all UCLA Health System patients whose confidential medical information was stored on the stolen hard drive.

Kabateck filed a similar suit a few months ago against Stanford Hospital. In that case, emergency room records of patients ended up on the internet after Stanford provided them to an outside vendor.

"That's similar, in the sense they're not thinking when they give this information out and it relates to people -- whether it's a doctor taking it home with him or an outside vendor doing a beta test for them on some computer project," Kabateck said.

Stanford Hospital, which canceled its contract with the vendor, has denied liability.