Cancer patient sues UCSD Health over 500K-record info breach
Photo: Ekaterina Bolovtsova/Pexels
A patient in El Cajon, California, sued University of California, San Diego Health this past week over a security breach that potentially exposed the private information of 495,949 patients.
The plaintiff, Denise Menezes, is raising allegations of negligence, breach of contract, breach of confidence, and the violation of California's laws about medical privacy and unfair competition.
She is seeking class-action status.
"The data breach occurred because UC San Diego Health failed to implement reasonable security procedures and practices, failed to provide its employees with basic cybersecurity training designed to prevent 'phishing' attacks, failed to take adequate steps to monitor for and detect unusual activity on its servers, failed to disclose material facts surrounding its deficient data security protocols and failed to timely notify the victims of the data breach," read the complaint, which was filed in California federal court.
UC San Diego Health representatives said the university cannot comment on pending litigation.
WHY IT MATTERS
According to the complaint, Menezes is being treated for breast cancer at UC San Diego Health's Moores Cancer Center.
In September 2021, she received a notice informing her that she was among the patients whose data – including, in her case, full name, claims information, medical record number and treatment information – had been exposed in a phishing incident.
According to UC San Diego Health, the hackers may have had access to private information for months.
Still, "UC San Diego Health’s letter created more questions than it answered," according to the complaint.
Menezes' attorneys say UC San Diego Health waited months to get in touch with individual patients, despite publishing a general notice about the incident in June.
"Of course, a website posting did not identify which specific patients were impacted and was inadequate to affirmatively alert individuals impacted by the data breach to take measures to protect themselves," said the complaint.
They also say the letter is "downplaying the risk of misuse," and missing key information about the incident or the hackers' identities.
"As a result of the data breach, Ms. Menezes has spent time and effort researching the breach and reviewing her financial and medical account statements for evidence of unauthorized activity, which she will continue to do for years into the future," said the complaint.
The complaint says that UC San Diego failed to comply with basic recommendations and guidelines that would have prevented the breach from occurring, stressing the negative consequences of medical identity theft.
"Each data breach increases the likelihood that a victim’s personal information will be exposed to more individuals who are seeking to misuse it at the victim’s expense," said the complaint.
"Now that the investigation is complete, notifications to individuals whose data was impacted were sent beginning September 7, 2021, on a rolling basis where contact information was available," said UC San Diego Health representatives in response to a request for comment.
"UC San Diego Health worked deliberately, while taking care to provide accurate information, as quickly as it could," they added, noting that the university arranged for individuals whose data was impacted to receive one year of free credit monitoring and identity theft protection services through IDX.
"In addition to these actions, UC San Diego Health began taking remediation measures to enhance their security controls which have included, among other steps, changing employee credentials, disabling access points, and enhancing security processes and procedures," said the representatives. "While there are a number of safeguards in place to protect information from unauthorized access, UC San Diego Health is also always working to strengthen them so we can further minimize the risk of this type of threat activity."
THE LARGER TREND
The lawsuit is proof that for health systems who are victimized by cyberattacks, the financial fallout can go beyond paying a ransom (something the feds still advise against) or having to halt procedures.
And UC San Diego Health isn't alone. Earlier this year, Scripps Health, also in San Diego, faced a handful of suits after a ransomware incident led to a weeks-long network shutdown.
ON THE RECORD
Menezes "suffered emotional distress knowing that her highly personal medical and treatment information is now available to criminals to commit blackmail, extortion, medical-related identity theft or fraud, and any number of additional harms against her for the rest of her life," according to the complaint.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.