Class-action lawsuit against UCLA Health System for data breach fails to move foward

Correction: The original version of this article contained an error. The lawsuit Brian Katabeck was involved with against Stanford University’s Hospital and Clinics has not been settled.

A class-action lawsuit filed in December 2011 against the UC Board of Regents in response to the theft of personal information of UCLA Health System patients in early September 2011 has failed to move forward, according to the plaintiff’s attorney.

Brian Kabateck, a lead attorney from Los Angeles-based firm Kabateck Brown Kellner, said legal representation for the UC regents has been nonresponsive since the complaint was filed.

The UCLA Health System reported in November 2011 that a hard drive containing more than 16,000 patients’ information had been stolen from the home of a UCLA physician on Sept. 6, 2011.

Social Security numbers and financial information were not among the documents stolen, but they did include first and last names and may have contained birth dates, medical record numbers, addresses and medical record information, according to the Health System’s statement.

The lawsuit claims the September incident was a violation of the California Confidentiality of Medical Information Act, in place to protect the privacy of patients’ personal histories and information. The suit is calling for $1,000 in damages for each patient on the hard drive.

The total cost of the suit for the Health System could amount to as much as $16 million, including the legal fees associated with the case.

“We believe it was negligent for the hospital to allow (patient information) to be taken to a private residence, and not having a program in place to better protect their patients,” said Kabateck. His firm filed the case with the Superior Court of Los Angeles County on Dec. 14, 2011.

Though there is no evidence of misuse of the patients’ information since the burglary, Kabateck said the case hinges on the negligence concerning the protection of digital information in the evolving medical world. He said he hopes the suit will force hospitals to be more careful.

While storing information online is an increasingly common practice, and can certainly coexist with patient privacy rights, the potential for data breach is significantly higher than a paper-based system, said Tena Friery, research director at the Privacy Rights Clearinghouse, a national nonprofit organization focused on consumer privacy protection.

She also cited a 2011 study revealing that 71 percent of health care organizations had suffered a data breach in the last year.

Kabateck was also involved in a case concerning similar violations against Stanford University’s Hospital and Clinics late last year, filed on behalf of 20,000 patients whose information was released onto a public website through a third party.

Kabateck said he would not be opposed to settling the case with the UC regents in court, though there has been no dialogue between the two parties since the filing of the complaint.

The current suit also follows in the wake of a separate agreement last July, in which the Health System paid a fine of $865,500 to settle potential Health Insurance Portability and Accountability Act privacy violations. That settlement was also in regards to improper disclosures of medical records.

The UC Office of the President could not be reached for comment. A spokesman for the UCLA Health System declined to comment on the lawsuit, citing its policy on pending litigation.