Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
UCLA Health Faces Lawsuit - AlreadyClass Action Filed Almost Immediately After Breach Revealed
A lawsuit seeking class-action status was filed against UCLA Health on the first business day after the healthcare organization revealed it was the victim of a cyberattack. The breach potentially compromised information on 4.5 million individuals.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The suit, filed in the U.S. District Court in the central district of California on July 20, alleges privacy-related violations of several California laws, including the state's Confidential Medical Information Act and also its Business and Professions Codes. Plaintiffs are seeking unspecified damages.
But attorney Stephen Wu of the law firm Silicon Valley Law Group, which is not involved in the case, says the lawsuit is potentially seeking "billions of dollars in statutory damages" because California law provides for damages of $1,000 per record breached, and there were potentially 4.5 million individuals affected by the cyber-attack.
He notes, however, that "there hasn't been success so far" in plaintiffs being awarded that level of statutory damages in data breach cases. That's because plaintiffs in other cases "could not show that data was misused or that actual ID theft has occurred."
UCLA Health said in a statement provided to Information Security Media Group: "At this time, there is no evidence that the attacker actually accessed or acquired any individual's personal or medical information." The organization includes four hospitals on two campuses - Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children's Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA - and more than 150 primary and specialty offices throughout Southern California.
When it comes to major breaches, there's often a race to see who can file the first lawsuit, says attorney Ron Raether of the law firm Faruki Ireland & Cox P.L.L, which is not involved in the case but often defends other companies in breach-related lawsuits.
"The real motivating factor in how quickly these lawsuits are getting filed is the race by the plaintiffs' bar to figure out who's going to be the lead attorney in these class action cases," he says.
"Obviously I don't believe every event deserves a class-action, and it shouldn't be determined simply on the basis of the number of consumers affected," he says. "Information security and compliance is extremely difficult, it's complicated and very individualistic ... because each business is going to have a different information security framework and structure in terms of employees, training, access points, consumers and type of data."
Courts also need to carefully determine "if these cases are truly filed too soon and have merit before the cost and the burden of having to defend a class action is imposed on [a] company, which, in most cases, itself is a victim of a criminal," he adds.
Failure to Secure Data?
The lead plaintiff in the case - Michael Allen, a UCLA Health patient who filed the suit also on behalf of "all others similarly situated" - claims the healthcare provider's "failure to maintain the security of its current and former customers' nonpublic personal and health information" has resulted in an invasion of privacy, constructive fraud, breach of contract, negligence and unjust enrichment.
The suit contends that UCLA Health's "patients' personal information, and possibly their sensitive health information, was not kept secure. Instead, it was left in an unencrypted state and stolen by cyber thieves." Because the healthcare organization failed to encrypt patients' data, the lawsuit says, "it was much easier for cyber thieves to interpret the information, use it to steal the identities of defendants' patients, or sell to others who would use defendants' patients' personal and health information."
UCLA Health, in a July 17 statement announcing the breach, said attackers accessed parts of the provider's network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information. Based on the continuing investigation, UCLA Health says it appears that the attackers may have had access to these parts of the network as early as September 2014.
The lawsuit contends that plaintiffs "face a long-term battle against identity theft." UCLA Health's "failure to adequately protect the ... information in their possession has caused, and will continue to cause, substantial harm and injuries to plaintiff and all current and former customers of defendants." The suit, however, does not specify any incidents of ID theft that allegedly occurred in the wake of the cyberattack.
An attorney for the plaintiff did not immediately respond to Information Security Media Group's request for comment.
UCLA Health Response
UCLA Health also declined to comment on the lawsuit. "UCLA does not discuss pending litigation." That includes addressing the question of whether the data affected by the cyberattack was unencrypted, as the lawsuit contends.
The organization says it's continuing to investigate the cyberattack. "Our top priorities are the safeguarding of personal and medical information and reaching out to those who may have been affected by the cyberattack," the provider organization says.
Back in 2011, the Department of Health and Human Services' Office for Civil Rights reached a resolution agreement with the University of California at Los Angeles Health System after a records snooping incident. In that settlement, UCLA agreed to pay a $865,500 fine and carry out a corrective action plan aimed at remedying gaps in its compliance with HIPAA.
The resolution agreement resolved two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLA Health System. The complaints alleged that health system employees repeatedly and without permissible reason looked at the electronic protected health information of these patients.
And in another breach case involving the UCLA, a California appellate court in 2013 dismissed a class action suit stemming from an incident involving a 2011 burglary at the home of a UCLA Faculty Group Practice physician. An unencrypted external hard drive stolen in the burglary contained data on more than 16,000 patients treated at UCLA facilities. In dismissing the suit, which also alleged UCLA failed to have reasonable controls in place to prevent the disclosure of private medical information, the court noted there was no confirmation that the affected patients' data was actually inappropriately accessed (see Big Breach Highlights Encryption's Value).
The cyberattack on UCLA Health is the latest in a string of large hacker attacks targeting healthcare sector organizations in recent months. Those include Anthem Inc., which was hit by a breach affecting nearly 80 million individuals; Premera Blue Cross and CareFirst Blue Cross Blue Shield.
Many lawsuits have been filed as a result of those breaches as well.
For instance, so far there have bee about 100 lawsuits filed against Anthem, says attorney Lynn Toops of Indianapolis law firm Cohen & Malad LLP, which is representing plaintiffs in one of those suits. That case, like the others, have been consolidated and transferred to the U.S. district court in the Northern District of California, she says. As for incidents of fraud that have allegedly resulted from the Anthem breach so far, "the largest identity theft complaint that we have been hearing about from Anthem victims is tax fraud," she says.