Thursday, April 9

UCLA Health faces lawsuit for privacy breach in recent cyber attack

(Daily Bruin file photo)

A Los Angeles man filed a class action lawsuit against UCLA Health, alleging the health care provider did not adequately store private medical information of about 4.5 million patients during the recent cyber attack, a law firm announced Tuesday.

Miguel Ortiz filed the complaint against UCLA Health, UCLA Medical Sciences and University of California Board of Regents in the Los Angeles County Superior Court on July 29. He and his family were patients at UCLA Health during the time of the cyber attack.

The lawsuit seeks for UCLA to engage third party security auditors and internal security personnel to test computer systems on a periodic basis according to industry standard practices, and take other security and preventative measures. Ortiz also seeks monetary relief for any damage caused by the cyber attack.

This is the second lawsuit filed by a patient since the attack. Another UCLA Health patient, Michael Allen, said in his lawsuit that he seeks monetary or statutory compensation and relief for patients affected by the attack from UCLA Health and the Board of Regents.

On July 17, officials announced a security breach to UCLA Health’s computer network. UCLA Health suspected the security breach in October and contacted the FBI to investigate the attack.

The cyber attack may have exposed patients’ names, addresses, dates of birth, Medicare or health plan ID numbers, Social Security numbers and medical record numbers. Tod Tamberg, a UCLA spokesman said even though hackers accessed personal information, there is no evidence that any information was taken.

UCLA is currently investigating the computer system that was involved in the cyber attack.

The lawsuit stated that though UCLA knew of its history of data breaches, it not take the adequate steps to safeguard patient information. In addition, the lawsuit asserted that by failing to invest in adequate security and take basic steps to protect information, UCLA Health failed to perform its duty to patients. The lawsuit accused UCLA of waiting eight months to notify patients of the attack.

UCLA declined to comment further on these matters.

In 2011, UCLA Health patients were notified that a hard drive containing more than 16,000 patient’s information had been stolen from a UCLA physician’s home. The information stolen included birth dates, medical record numbers and addresses, causing similar lawsuits against UCLA to arise. A class action lawsuit filed after this case failed to move forward.

In 2007, a breach of UCLA’s database exposed the personal information of 800,000 students, staff and administrators, including Social Security numbers, also prompting an investigation by the FBI.

UCLA offered patients who may have been affected resources, such as 12 months of identity theft recovery and health care identity protection tools. Following the cyber attack in July, UCLA Chancellor Gene Block said the university would notify patients on a rolling basis if they were affected.

Compiled by Roberto Luna Jr. and Alejandra Reyes-Velarde, Bruin senior staff.

Comments are supposed to create a forum for thoughtful, respectful community discussion. Please be nice. View our full comments policy here.