Patients have filed suit against UCLA Health with a class-action settlement for $7.5 million after a data breach exposed their protected health information (PHI).
UCLA first discovered suspicious activity on its network in October 2014 and turned to the FBI for help. During that time, it was determined that no medical records were compromised. Yet in May 2015, hackers broke through the system and gained access to patient PHI. PHI is any demographic information that can be used to identify a patient. Approximately 4.5 million patients’ names, addresses, Social Security numbers, and medical record numbers were ultimately exposed, along with other possible forms of identification.
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) concluded that UCLA Health responded appropriately to the breach and was satisfied with the university’s post-breach efforts.
However, patients beg to differ.
Patients were not satisfied with the potential exposure of their PHI, and have filed a class-action lawsuit arguing that UCLA Health failed to notify them about the data breach in a reasonable and timely manner.
The HIPAA Breach Notification Rule outlines the process that HIPAA-beholden entities must follow in the event of a breach affecting PHI or electronic PHI (ePHI). The Breach Notification Rule differentiates between two types of breaches depending on the size and scope, known as Minor and Meaningful breaches. Organizations must report all breaches to HHS OCR regardless of the size, but the specific protocols vary depending on the type of breach.
In this case, the UCLA data breach is classified as a meaningful breach because it affected more than 500 individuals. Meaningful breaches must be reported within 60 days of the discovery incident.
UCLA Health notified patients about the breach on July 15, 2015. However, patients claimed that UCLA should have notified them within the 60-day timeframe, rather than nine months later.
Patients can claim up to $5,000 to cover identity protection costs and $20,000 for any losses caused by the data breach. They have until May 20 to object to the settlement.
Improper HIPAA safeguards can result in violations and fines for an organization when the standards of the HIPAA Security Rule are not implemented properly. In order to maintain compliance with HIPAA Security standards, organizations must have the proper Physical, Technical, and Administrative safeguards in place to protect the confidentiality, integrity, and availability of PHI.
The takeaway from this UCLA data breach and class-action lawsuit is that the risks associated with a HIPAA violation do not end with an HHS OCR investigation. With state Attorney General fines, civil HIPAA lawsuits, and class-action lawsuits on the rise, data breaches have far reaching consequences that can have a devastating impact on the affected organization.
That’s why implementing an effective compliance program that addresses the full extent of HIPAA Privacy and Security standards is so important. Limiting exposure to data breaches in the first place is where healthcare organizations should dedicate their efforts. HHS has developed The Seven Fundamental Elements of an Effective Compliance Program as the minimum requirements that healthcare organizations must have in place. The seven elements include:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
HIPAA compliance programs work best when they’re integrated into the management of your business to establish a culture of compliance to defend against data breaches and fines!