UCLA Health faces class-action lawsuit after breach

The breach at UCLA Health, announced last week, already has prompted a proposed class-action lawsuit, according to Law360.

Plaintiff Michael Allen argues that UCLA Health failed to take the basic precautionary steps to protect the personal and medical information for as many as 4.5 million individuals whose data might have been compromised.

So far, UCLA Health says it still hasn't determined whether attackers actually obtained the sensitive patient information; it is working with the FBI on the investigation.

The four-hospital system faces accusations of fraud, invasion of privacy, breach of contract, negligence and a violation of California laws such as the Confidentiality of Medical Information Act (CMIA), according to the article.

Up to $1,000 in statutory damages and $3,000 in punitive damages could be awarded to plaintiffs for each violation of CMIA. Allen also is seeking $1,000 for each violation of California's Business & Professions Code.

UCLA Health determined on May 5 that hackers accessed parts of its network. It's been working with the FBI since then, when it first detected suspicious activity. Names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information were put at risk.

James Atkinson, interim associate vice chancellor and president of the system, said that UCLA has already taken "significant steps" to protect data and strengthen its network.

After high-profile breaches from Anthem, Premera, Franklin, Tennessee-based Community Health Systems and others, the Blue Cross Blue Shield Association announced an initiative to offer identity protection services to all of its 160 million members preemptively.

Mac McMillan, CEO of health IT consultancy CynergisTek, and current chair of the HIMSS Privacy and Security Policy Task Force, however, says rather than viewing breaches as inevitable, healthcare organizations must remain vigilant about preventing them in the first place.

To learn more:
- find the article (reg. required)
- read the lawsuit