Los Angeles, CA: UCLA Health System Auxiliary is facing a data breach class action over allegations it failed to provide security measures capable of preventing a recently reported data breach. According to the California health care provider, they experienced a data breach that potentially exposed 4.5 million patients' personal medical information to hackers.
Filed on behalf of plaintiff Michael Allen, the lawsuit contends that the breach was the direct result of the hospital network' failure to take the "basic steps"necessary to safeguard patient information. Further, Allen claims that by allowing the hack to occur, UCLA Health broke a contractual promise to its clients.
"Due to defendants' failure to take the basic steps of encrypting patients' data, it was much easier for cyber thieves to interpret the information, use it to steal the identities of defendants' patients, or sell to others who would use defendants' patients' personal and health information,"the complaint states.
Allen alleges he made multiple visits to a UCLA Health center starting in February 2013, all requiring him to provide his personal information. Due to the sensitive nature of the now-compromised information, Allen claims he is at risk for identity theft, the result of which can take years to deal with. The information that was compromised includes social security numbers, names, Medicare numbers, addresses and more.
Additionally, the complaint criticizes UCLA Health for not revealing the UCLA data breach sooner, noting that it had begun investigating a possible breach in October but didn't disclose the attack until about nine months later.
The lawsuit contends that in light of a recent trend involving hackers targeting "big players"in the health care industry, as well as scrutiny by security experts and patient advocates, UCLA should have been better prepared.
"Defendants knew or should have known of the risks inherent in maintaining their customers' nonpublic personal and health information, and if such information was stolen, it would have dire consequences for those customers,"Allen states.
While UCLA Health has maintained that it is unable to confirm if any information was actually stolen, an investigation conducted with the aid of the FBI revealed that the hackers may have accessed parts of servers that contain patient information.
According to a statement by UCLA, the cyber attack likely occurred in September 2014. UCLA consists of four hospitals and numerous primary- and secondary-care facilities in the Los Angeles area.
Allen accused UCLA Health and the university' board of regents of fraud, invasion of privacy, breach of contract, negligence and violating California laws, including the Confidentiality of Medical Information Act (CMIA). Every violation of the CMIA entitles individual class members to $1,000 in statutory damages plus an additional $3,000 in punitive damages, according to Allen, who is also seeking another $1,000 per violation of California's Business & Professions Code.
Allen is represented by Kevin Mahoney of Mahoney Law Group APC and Briana M. Kim of Briana Kim PC. The case is Allen v. UCLA Health Systems Auxiliary et al, case no. 2:15-cv-05487 in the U.S. District Court for the Central District of California.
