Last Friday, UCLA Health admitted it was the latest American healthcare system to be hit by a massive data breach, this one compromising the medical records of up to 4.5 million patients. Specifically, UCLA Health discovered the breach on May 5, and waited until July 17 to admit this to the public. It's believed the hackers initially breached their security sometime in September 2014.
On Monday, former patient Michael Allen (who sought treatment at a UCLA Health center in February 2013) filed an attempted class action suit in U.S. District Court against UCLA Health Systems Auxiliaries on the grounds that it broke its contractual obligations to protect patients' data.
Allen filed in California's Central District on behalf of “several millions of individuals,” and claimed that personal information entrusted to the hospital was “left in an unencrypted state and stolen by cyber thieves.”
Medical identity theft
Of all possible forms of identity theft or identity fraud, medical theft is arguably the worst and most permanently harmful from the victim's perspective. Victims of credit card or similar forms of financial fraud are not expected to pay out of pocket to resolve the problem – but victims of medical identity theft often have to.
In February, when the Medical Identity Fraud Alliance (MIFA) released its Fifth Annual Study on Medical Identity Theft, it said that there were more than two million victims of medical identity theft in the United States alone in 2014. Furthermore, according to MIFA, 65% of medical identity theft victims ultimately had to pay more than $13,000 out-of-pocket to resolve the problem.
Arguably, some “problems” caused by medical-record theft can never be resolved. After all: If criminals steal your bank account or credit card numbers, it's fairly easy (albeit annoying and time-consuming) for you to cancel the contaminated accounts and get new ones. Changing your Social Security number is far more difficult, and not to be undertaken lightly, but it can be done if absolutely necessary.
But you can't change your actual medical history; if that information falls into untrustworthy hands, nothing you can do will make it obsolete.
In black-market cyberforums, where identity thieves and other criminals buy and sell stolen information for nefarious purposes, medical-record data is the most useful and valuable personal data type. Jim Trainor of the FBI's cyber security division has said that while the black-market value of a stolen credit card number is as little as five dollars, protected health information records can sell for as much as $60 to $70.
Healthcare breaches becoming common
The UCLA Health security breach was the fourth major American healthcare breach announced since the start of 2015, and the fifth in the past 12 months. In August 2014 the Community Health Systems network, which owns and operates 206 hospitals in 29 states, announced the discovery of a security breach allowing hackers to steal data from more than 4.5 million current and former patients. Anthem admitted to 80 million compromised patient records from a breach the following February; Premier Blue Cross admitted to a breach of 11 million in March; and CareFirst BlueCross/BlueShield announced a breach of 1.1 million records in May.
Michael Allen's newly filed lawsuit against UCLA Health asks the court to grant class action status, and seeks damages for fraud, negligence, invasion of privacy, breach of contract, violation of medical confidentiality, unlawful business practices, and unjust enrichment, plus legal costs.
According to Law360, if the suit is successful then, under California's Confidentiality of Medical Information Act, plaintiffs could be awarded up to $1,000 in statutory damages and $3,000 in punitive damages for each violation of the CMIA alone.