The Parade of PHI Security Breaches: UCLA Rejoins the March and Merits Mixed Reviews for the Quality of its Public Disclosures
In a recent posting on this blog series, my partner William Maruca mentioned the multiple reported “snooping” intrusions from 2005 to 2009 by employees at UCLA Health System (“UCLA”) into medical records of celebrities “without a permissible reason.” Such snooping would constitute violations of the requirements under HIPAA/HITECH statutes and regulations. Ultimately, UCLA entered into a settlement agreement (the “Settlement Agreement”) with federal health regulators with respect to such incursions, which among other things, socked UCLA with a fine of $865,000.
Shortly after the Settlement Agreement was reported in July 2011, a new and different security breach was posted for UCLA (the “2011 Breach”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”). (Presumably the snooping intrusions were not on the HHS List because they affected fewer than 500 individuals.) The 2011 Breach was reported on the HHS List as a theft of an “Other Portable Electronic Device” on September 7, 2011, that affected the protected health information (“PHI”) of 2,761 individuals. UCLA has developed a mixed record of disclosure with respect to this most recent security breach.
UCLA is to be commended for having posted and maintained on its Web site (the “UCLA Web Site”) information on the 2011 Breach, as it has done with respect to the Settlement Agreement. This can be contrasted to a number of other covered entities previously identified in this blog series, such as Eisenhower Medical Center, that have not seen fit to post such security breaches on their Web sites. As a matter of fact, the posting on the UCLA Web Site about the 2011 Breach goes beyond the usual minimum level of disclosure to have a user-friendly, plain-language series of questions and answers to assist the site visitor.
The UCLA Web Site reported
The documents containing information did not include Social Security numbers or any financial information. They did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information. . . . UCLA has engaged Kroll, a global leader in data security, to provide assistance to individuals affected by this incident.
Even though UCLA has retained a consultant to provide advice to potential victims of the 2011 Breach, to this point no credit monitoring has been offered, while other covered entities have done so in similar circumstances because some of the information that was included in theft could heighten identity theft risks.
There is also a perplexing discrepancy between the 2,761 individuals reported on the HHS List as having been affected in the 2011 Breach, as compared to 16,288 individual reported on the UCLA Web Site. The HHS Web site provides the following instructions regarding amendments to the number of affected individuals in a large PHI security breach:
If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
While there can only be speculation as to the source of the discrepancy, best disclosure practices would appear to dictate that UCLA provide information to HHS to permit the HHS List to be corrected from the current number to the materially higher number of 16,288 individuals. If UCLA has reported the higher figure to HHS, which did not correct it on the HHS List, then there is a flaw in the HHS List posting process that does not update amended information received from covered entities.
More recently, an additional factor has surfaced to detract from the quality of UCLA disclosures respecting the 2011 Breach. Derek Hawkins of Law360 discusses the filing by a UCLA patient of a putative class action against UCLA in December 2011 relating to the 2011 Breach. The Hawkins posting criticizes UCLA for not commenting at all on the lawsuit.
Thus UCLA has been inconsistent in its post-2011 Breach disclosures. Prompt, decisive and compliant action by covered entities affected by PHI security breaches, including transparency and accurate and consistent disclosure, is necessary to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches.