The UCLA Health System class action was filed against the University of California, Los Angeles, after a data breach put the private information of 4.5 million patients in jeopardy. The lawsuit, filed in the Los Angeles County Superior Court, states the UCLA Health System failed to protect the information. In addition, the hospital waited too long, allegedly 10 months, to disclose the breach following its discovery.
Still, UCLA has not stated whether any information was actually accessed, but admits that the possibility exists. The breach possibly exposed information such as social security numbers, health plan identifications, and other personal medical information of the millions of patients in the UCLA system.
The UCLA Health System class action complaint further states that UCLA was negligent in not defending its data systems. Especially in light of an increase of data breaches in general. Such as the infamous Home Depot breach of 2014. According to the complaint, UCLA violated the Health Insurance Portability and Accountability Act (HIPAA). As they didn’t protecting this data by performing simple safeguards, such as data encryption. Other violations the complaint lists includes the Confidentiality of Medical Information Act, unfair competition, invasion of privacy, and negligence.
In an effort to mitigate damages and protect its patients, UCLA has offered any patients whose data may have been compromised 12 months of identity theft recovery services. As well as twelve months of credit monitoring services for those with Social Security or MediCare information. All of these services will be provided for free by the university.
A computer forensics expert and public health expert would be useful in this case. A computer forensics expert would be able to provide information regarding when the breach likely occurred. Thus discovering how long UCLA waited to reveal the information. They can also provide information on how likely a breach was to occur given the set-up of UCLA’s data system. Including whether they did enough to protect the data. A public health expert would be able to explain whether or not UCLA violated certain medical and health insurance policies and laws.