UCLA breach shows that even home isn't always a safe place for data

Experts say the case underscores the need for medical practices to establish privacy-protection policies.

By Pamela Lewis Dolan — Posted Nov. 22, 2011

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Even if practices think they have a strong data security plan in place, too often a new breach occurs that reminds them there are always additional steps that can be taken, or that certain vulnerabilities were overlooked.

The most recent reminder came through the UCLA Medical Center, which issued a public notice on Nov. 4 saying that a former employee's computer external hard drive that contained information about 16,288 patients was stolen during a house burglary. Although the data were encrypted, a piece of paper containing the password needed to unencrypt the data also came up missing after the burglary.

UCLA said in the notice that the records did not contain Social Security numbers or financial information. But they did include first and last names and possibly birth dates, addresses and medical record numbers and information. The data ranged from July 2007 to July 2011. The theft occurred in September, and UCLA said it took until November to determine who was affected and obtain valid addresses for notification. The employee whose home was burglarized ended his employment with UCLA in July.

After this recent incident, UCLA said it is "reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood of such an incident occurring again."

Brian Lapidus, chief operating officer of Kroll Fraud Solutions, said practices need all employees to be cognizant of how important and valuable patient data are. Everyone in the office should "treat data like diamonds" and protect them.

Kroll was hired by UCLA to investigate the breach, but Lapidus did not comment about the case.

Although many physician practices have policies on patient data, there's often room to make the policies more specific, Lapidus said. Some employees may need reminding that placing notes on laptops with log-ins and passwords is not advisable. Machines and encryption tokens should never be together. Though encryption is a good way to protect data, "it is only one tool in an arsenal," he said.

"You can encrypt data, you can even encrypt your machines," but employees must know how the encryption works and its limitations, Lapidus said.

When it comes to policies on data that leave the practice, Lapidus' recommendation is to not take it home to begin with. "Do you really, really need to do that at home? Are there other things you can do? Is it worth the risk?" he asked. Each organization has to answer that, "but from my perspective, it's a risk not worth taking."

Previous breaches at UCLA helped prompt the drafting of two California patient privacy laws that went into effect in January 2009. The laws put more teeth into patient privacy rules and bolstered the penalties for not complying.

Before the law was introduced, several snooping cases were reported that involved celebrities, including former California first lady Maria Shriver and singer Britney Spears. About the same time the California governor signed the two patient privacy bills into law, a report published by the state health department found that snooping incidents at UCLA were much worse than thought. The study found that hospital workers inappropriately accessed the electronic medical records of 1,041 patients since 2003.

The first known person to be jailed for HIPAA violations in the U.S. was Dr. Huping Zhou, a cardiothoracic surgeon from China who was a researcher at UCLA. He was sentenced to four months in jail in April 2010 after pleading guilty to charges related to looking at patient medical records he was not authorized to view. The records included those of his immediate supervisor and co-workers as well as celebrities.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn