Suit against UCLA Health System filed for breach

A class-action suit has been filed seeking potentially as much as $16 million in damages for a data security breach involving the encrypted, but still vulnerable, electronic medical records of patients at the UCLA Health System.

The suit, filed in Los Angeles County Court against the regents of the university, doing business as UCLA Health System, lists one named plaintiff, Ani Oganyan, a patient at the Ronald Reagan UCLA Medical Center on multiple visits between April and June 2011.

According to the 10-page complaint, on Sept. 6, 2011, an external hard drive storing the records of Oganyan and about 16,000 other patients who are part of the class was stolen during a home invasion at the residence of a physician working with the UCLA Faculty Group.

The records spanned from July 2007 to July 2011, the compliant said, and “the encryption passwords necessary to unscramble the medical informant (were) stolen during the home invasion as well.” Neither the hard drive nor the passwords have been recovered, the suit says.

A public statement by the health system reporting the breach in November said records of 16,288 patients were involved and the password “was written on a piece of paper near the hard drive and cannot be located.”

The records contained the patients' names, dates of birth, addresses, medical record numbers and “medical record information,” the UCLA statement said.

The complaint alleges the UCLA Health System violated the California Confidentiality of Medical Information Act, which bars healthcare providers from disclosing patient medical information without written authorization, as well as “its legal duty to protect the confidentiality of such information when it lost possession of the hard drive and encryption passwords.”

The suit seeks statutory damages under the California law of $1,000 per class member, any general, special and consequential damages “according to proof,” interest, attorneys' fees and costs and any further the relief the court deems proper. The Los Angeles law firm of Kabateck Brown Kellner is representing the plaintiffs.

In July, the UCLA system announced it had entered into a settlement agreement, including a $865,000 payment, with the Office for Civil Rights at HHS over alleged federal privacy and security rule violations between 2005 and January 2008.