A proposed class action filed in California federal court on July
20 (Allen v. UCLA Health Systems Auxiliary et al., case no.
2:15-cv-05487 in the U.S. District Court for the Central District
of California) alleges that the UCLA Health System Auxiliary and
The Regents of the University of California (together, "UCLA
Health") failed to adequately secure the private financial and
health information of 4.5 million patients receiving services at
their hospitals.
The patient information was stored in an unencrypted state on a
server that was accessed by cyber thieves. Generally, healthcare
organizations require that data be encrypted in transit (such as
email) or on mobile devices. This lawsuit takes the standard one
step further and claims that private financial and health datamust
be encrypted even when stored on an internal server. The plaintiff
accuses UCLA Health of fraud, invasion of privacy, breach of
contract, negligence, and violating California laws, including the
Confidentiality of Medical Information Act ("CMIA") and
California's Unfair Competition Law, Section 17200, et seq. of
the Business and Professional Code.
Although Connecticut does not have a broad confidentiality statute
like the CMIA, the Connecticut Supreme Court held last year (as previously discussed here) that the HIPAA privacy standards can be
used to establish the standard of care required to protect privacy
and that a patient may sue a healthcare provider for negligence and
emotional distress caused by an alleged violation of these
standards. Thus, Connecticut hospitals and other providers would be
well served to assess their security risk for unencrypted data and
take appropriate proactive steps to avoid exposure for class action
claims similar to those filed against UCLA Health.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.