Originally posted in Mintz Levin's Health Law & Policy Matters Blog
Written by Jordan Cohen
In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday - July 17, 2015 - that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results). Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.
As night follows day, by the following Tuesday - July 21, 2015 - UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act.
According to its press release, UCLA determined on May 1, 2015, that the attackers had accessed UCLA’s network. Interestingly, UCLA notes that it had detected suspicious activity on its network in October of 2014, at which time it began working with the FBI to investigate the breach. At the time, UCLA did not believe that the attackers had access to the part of its network that contained personal information. However, as of May 5, 2015, UCLA concluded that the hackers may have had access to personal information as far back as September of 2014. UCLA has made identity protection and credit monitoring services available to potentially impacted individuals.
The class action claims that the breach was a direct result of UCLA’s failure to take “basic steps” to safeguard the sensitive information. One of these “basic steps”, the plaintiff argues, is the encryption of UCLA’s patient information.
However, it is unclear at this point the role that encryption would have played in preventing such an attack. If the hackers obtained access to UCLA’s internal network, it is possible that the data would have been accessible regardless of whether it was encrypted. As discussed in the MIT Technology Review following Anthem’s massive breach, “encryption is just one part of the arsenal that organizations need to deploy to secure sensitive data. Encryption is great for securing data in transit and at rest, but if the credentials and keys are compromised it does little to protect the data.”
The UCLA breach illustrates another area of concern: the ability of entities to effectively investigate potential breaches. While Anthem’s breach was an order of magnitude greater in terms of the number of individuals affected, the company publicly disclosed its breach less than one week after it detected the intrusion. UCLA’s investigation spanned a number of months, giving the hackers more time to nefariously use the information before countermeasures could be taken. This point was not lost on the plaintiff in the class action, with the complaint describing UCLA’s response as “dilatory” and accusing the system of delaying its notification to individual consumers. For its part, a UCLA representative told CNN that “the process of addressing the technological issues surrounding this incident and the logistics of identifying and notifying the potentially affected individuals was time-consuming.”
Regardless of how the class action suit is resolved in court, the UCLA breach is further evidence of the significant headwinds facing the health care sector, both in preventing and responding to data breaches.