UCLA Health Data Breach Lawsuit: Healthcare Provider Not Liable to Pay Damages

The UCLA Health data breach lawsuit filed by plaintiff Norma Lozano after her medical records were inappropriately accessed and disclosed to a third party by a medical office assistant, has been ruled in favor of the healthcare provider. In a jury trial, UCLA Health was cleared of the charges and was not found to be liable to pay damages to the plaintiff.

Lozano filed the lawsuit after medical office assistant, Alexis Price, accessed her medical records without authorization, and disclosed intimate details of her medical history to a third party – Her partner, who was also the ex-partner of Lozano.

Price, along with other members of the hospital staff, had been given the login information for physician, Dr. John Edwards; however, Price used that information to view medical records that she was not authorized to access. In addition to accessing Lozano’s medical file, Price took photos of that file, and disclosed the information, which the plaintiff alleges caused her to suffer emotional harm.

Initially, Lozano filed the lawsuit against Dr. Edwards as well as UCLA; however the matter was settled privately out of court. The case against UCLA; however was not. Lozano was seeking $1.25 million in damages from UCLA Health for the invasion of privacy and emotional distress caused. The case received a jury trial; however UCLA Health was cleared and was deemed not to be responsible for the privacy violation.

In cases such as this, where healthcare providers are taken to court over the actions of one individual, juries must decide whether the protections put in place to protect the privacy of patients were substandard, and if it would have been reasonable to expect, under the circumstances, the healthcare provider to have done more to prevent the data breach.

In this case, the jurors decided that UCLA Health had not acted with negligence, and had protections in place to keep patient data private. The defense provided expert witnesses to testify that the protections put in place were in line with those used by other healthcare providers, and that they met industry standards. These testimonies proved to be decisive. The jury took just an hour to reach its decision.

It is common for healthcare providers to implement additional security controls to prevent the unauthorized accessing of medical records of patients. Celebrities, public officials, individuals named in criminal cases, are likely to have these controls put in place to make it harder for their records to be accessed.

The secondary controls, such as requiring passwords to be entered twice, and reasons to be entered into the system as to why records need to be viewed, decrease the probability of inappropriate access. They do not, however, prevent individuals with passwords from viewing records. In this case, since Price had the password, those measures would have been unlikely to have prevented the medical assistant from gaining access to the records even if used.

This can be seen as a victory not just for UCLA Health, but all healthcare providers, and could well set a legal precedent. That does not mean that Price, Edwards and UCLA Health are in the clear. Price violated the Health Insurance Portability and Accountability Act (HIPAA) by viewing records without authorization, login information was shared which breached HIPAA Rules, and those HIPAA violations carry stiff financial penalties, including jail terms.

Similarly, UCLA Health could potentially be penalized under HIPAA Rules. Should the Department of Health and Human Services’ Office for Civil Rights decide to investigate UCLA for HIPAA violations, the healthcare provider would need to demonstrate that training had been provided to the staff on data Privacy and Security Rules, a risk assessment had taken place, and other requirements of HIPAA Rules had been satisfied.

Any violation of HIPAA Rules that is discovered, even if unrelated to the privacy violation committed by Price, could result in a hefty fine being issued.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news