UCLA Health has settled a class action lawsuit filed by victims of a 2014 data breach for $7.5 million.
The UCLA Health breach was one of the largest data breaches in history. Hackers accessed the private information of 4.5 million patients. The FBI assisted UCLA Health in investigating suspicious activity detected on the hospital’s network.
The forensic investigation confirmed that hackers had succeeded in gaining access to UCLA Health’s network. However, investigators initially thought that the hackers had failed to gain access to the parts of the network where patients’ medical information was stored.
However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information. The hackers may have accessed names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. UCLA Health had failed to encrypt some of the data.
The Department of Health and Human Services’ Office for Civil Rights investigated the breach. The investigators were satisfied with UCLA Health’s response to the breach and noted that the health network had since implemented technical and administrative safeguards to improve security.
UCLA Health was not faced with a financial penalty for the breach. However, a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach promptly, there had been a breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.
UCLA Health notified patients about the breach on July 15, 2015, under 60 days from the discovery that PHI had been compromised. Although this is in line with HIPAA’s Breach Notification Rule, the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.
UCLA Health has agreed to settle the case for $7.5 million. As a part of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients are also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorised use of their personal and health information. If they have been a victim of fraud or identity theft, they may submit a claim to recover the losses they may have suffered.
Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. UCLA Health has set aside $2 million of the $7.5 million settlement to cover patients’ claims, and the remaining $5.5 million is being paid to a cybersecurity fund which will be used to improve cybersecurity defences at UCLA Health.
Patients have until May 20, 2019, to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019, and patients must enrol in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021.
The final court hearing on the settlement is scheduled for June 18, 2019.