McCuneWright, LLP has filed a class action lawsuit against UCLA Health System, UCLA Medical Sciences and The Regents of the University of California. The suit was filed due to the compromising of private data that may have affected as many as 4.5 million patients in a breach earlier this year.
The complaint was filed 29 July in Lost Angeles County Superior Court on behalf of Miguel Ortiz and others in similar situations. The suit alleges that “personally identifiable information (PI) and other highly sensitive information was stolen,” and that defendants knew the information was a probable target for cyber-attack. Despite UCLA's own past of being hacked less than a decade ago and other recent data breaches, the defendants failed to invest in adequate security or take basic steps such as data encryption.
UCLA states that it is possible that patients had their names, social security numbers, date of birth, health plan ID numbers and specific financial and medical information compromised in the breach of the health system's computer network n 17 July.
The hospital discovered unusual activity on a computer server in October 2014 and began investigation with the FBI back then, According to UCLA, investigators determined that hackers accessed parts of the network holding patient details on 5 May.
The complaint advised that patients were not notified in a timely fashion after the discovery of the breach and that the defendants violated the Customer Records Act, Confidentiality of Medical Information Act and invasion of privacy.
Richard McCune, partner of the litigation firm and national spokesperson said: “UCLA has the responsibility to take the steps necessary to protect their patients' sensitive information and comply with HIPAA guidelines. It's not clear why a university of UCLA's size and notoriety would not do more to secure their patients' most private information.”
According to the World Privacy Forum, despite the fact that healthcare is now a prime target, the industry isn't prepared to deal with the threat.
More than half of healthcare organisations said that they don't think their incident response process has adequate funding and resources. One third of respondents don't have an incident response process in place.
When a breach occurs, two thirds of organisations do not offer protection services for the affected patients.
Larry Ponemon, chairman and founder of the Ponemon Institute says, “Over the five years, the percentage of incidents that occur due to criminal attacks versus negligence has increased by 125 percent. Over the past two years, 91 percent of healthcare organisations reported at least one breach, 39 percent reported two to five data breaches, and 40 percent had more than five data breaches.”