UCLA Health Faces Lawsuit - Already

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govinfosecurity.com/ucla-health-faces-lawsuit-already-a-8427

A lawsuit seeking class-action status was filed against UCLA Health on the
first business day after the healthcare organization revealed it was the
victim of a cyberattack. The breach potentially compromised information on
4.5 million individuals.

The suit, filed in the U.S. District Court in the central district of
California on July 20, alleges privacy-related violations of several
California laws, including the state's Confidential Medical Information Act
and also its Business and Professions Codes. Plaintiffs are seeking
unspecified damages.

But attorney Stephen Wu of the law firm Silicon Valley Law Group, which is
not involved in the case, says the lawsuit is potentially seeking "billions
of dollars in statutory damages" because California law provides for
damages of $1,000 per record breached, and there were potentially 4.5
million individuals affected by the cyber-attack.

He notes, however, that "there hasn't been success so far" in plaintiffs
being awarded that level of statutory damages in data breach cases. That's
because plaintiffs in other cases "could not show that data was misused or
that actual ID theft has occurred."

UCLA Health said in a statement provided to Information Security Media
Group: "At this time, there is no evidence that the attacker actually
accessed or acquired any individual's personal or medical information." The
organization includes four hospitals on two campuses - Ronald Reagan UCLA
Medical Center; UCLA Medical Center, Santa Monica; Mattel Children's
Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA - and more
than 150 primary and specialty offices throughout Southern California.

Fast Filing

When it comes to major breaches, there's often a race to see who can file
the first lawsuit, says attorney Ron Raether of the law firm Faruki Ireland
& Cox P.L.L, which is not involved in the case but often defends other
companies in breach-related lawsuits.

"The real motivating factor in how quickly these lawsuits are getting filed
is the race by the plaintiffs' bar to figure out who's going to be the lead
attorney in these class action cases," he says.

"Obviously I don't believe every event deserves a class-action, and it
shouldn't be determined simply on the basis of the number of consumers
affected," he says. "Information security and compliance is extremely
difficult, it's complicated and very individualistic ... because each
business is going to have a different information security framework and
structure in terms of employees, training, access points, consumers and
type of data."

Courts also need to carefully determine "if these cases are truly filed too
soon and have merit before the cost and the burden of having to defend a
class action is imposed on [a] company, which, in most cases, itself is a
victim of a criminal," he adds.

Failure to Secure Data?

The lead plaintiff in the case - Michael Allen, a UCLA Health patient who
filed the suit also on behalf of "all others similarly situated" - claims
the healthcare provider's "failure to maintain the security of its current
and former customers' nonpublic personal and health information" has
resulted in an invasion of privacy, constructive fraud, breach of contract,
negligence and unjust enrichment.

The suit contends that UCLA Health's "patients' personal information, and
possibly their sensitive health information, was not kept secure. Instead,
it was left in an unencrypted state and stolen by cyber thieves." Because
the healthcare organization failed to encrypt patients' data, the lawsuit
says, "it was much easier for cyber thieves to interpret the information,
use it to steal the identities of defendants' patients, or sell to others
who would use defendants' patients' personal and health information."

UCLA Health, in a July 17 statement announcing the breach, said attackers
accessed parts of the provider's network that contain personal information
such as names, addresses, dates of birth, Social Security numbers, medical
record numbers, Medicare or health plan ID numbers and some medical
information. Based on the continuing investigation, UCLA Health says it
appears that the attackers may have had access to these parts of the
network as early as September 2014.

The lawsuit contends that plaintiffs "face a long-term battle against
identity theft." UCLA Health's "failure to adequately protect the ...
information in their possession has caused, and will continue to cause,
substantial harm and injuries to plaintiff and all current and former
customers of defendants." The suit, however, does not specify any incidents
of ID theft that allegedly occurred in the wake of the cyberattack.

An attorney for the plaintiff did not immediately respond to Information
Security Media Group's request for comment.

UCLA Health Response

UCLA Health also declined to comment on the lawsuit. "UCLA does not discuss
pending litigation." That includes addressing the question of whether the
data affected by the cyberattack was unencrypted, as the lawsuit contends.

The organization says it's continuing to investigate the cyberattack. "Our
top priorities are the safeguarding of personal and medical information and
reaching out to those who may have been affected by the cyberattack," the
provider organization says.

Back in 2011, the Department of Health and Human Services' Office for Civil
Rights reached a resolution agreement with the University of California at
Los Angeles Health System after a records snooping incident. In that
settlement, UCLA agreed to pay a $865,500 fine and carry out a corrective
action plan aimed at remedying gaps in its compliance with HIPAA.

The resolution agreement resolved two separate complaints filed with OCR on
behalf of two celebrity patients who received care at UCLA Health System.
The complaints alleged that health system employees repeatedly and without
permissible reason looked at the electronic protected health information of
these patients.

And in another breach case involving the UCLA, a California appellate court
in 2013 dismissed a class action suit stemming from an incident involving a
2011 burglary at the home of a UCLA Faculty Group Practice physician. An
unencrypted external hard drive stolen in the burglary contained data on
more than 16,000 patients treated at UCLA facilities. In dismissing the
suit, which also alleged UCLA failed to have reasonable controls in place
to prevent the disclosure of private medical information, the court noted
there was no confirmation that the affected patients' data was actually
inappropriately accessed (see Big Breach Highlights Encryption's Value).

Growing Trend

The cyberattack on UCLA Health is the latest in a string of large hacker
attacks targeting healthcare sector organizations in recent months. Those
include Anthem Inc., which was hit by a breach affecting nearly 80 million
individuals; Premera Blue Cross and CareFirst Blue Cross Blue Shield.

Many lawsuits have been filed as a result of those breaches as well.

For instance, so far there have bee about 100 lawsuits filed against
Anthem, says attorney Lynn Toops of Indianapolis law firm Cohen & Malad
LLP, which is representing plaintiffs in one of those suits. That case,
like the others, have been consolidated and transferred to the U.S.
district court in the Northern District of California, she says. As for
incidents of fraud that have allegedly resulted from the Anthem breach so
far, "the largest identity theft complaint that we have been hearing about
from Anthem victims is tax fraud," she says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!