Lawsuits: Negligence Led to UC San Diego Health Incident2 Proposed Class Actions Filed in Incident Affecting Nearly 496,000 Individuals
Two proposed class action lawsuits filed this week in a California federal court allege negligence and a variety of other claims against UC San Diego Health in the wake of a phishing incident that affected nearly 496,000 individuals.
The lawsuits - filed by two separate UC San Diego Health patients - allege that the entity's failure to take adequate cybersecurity measures allowed attackers access to individuals' sensitive data for at least four months before detection - and that UC San Diego then failed to provide timely breach notification to individuals affected.
The California healthcare system, which includes four hospitals and more than a dozen clinics, in a July 27 public notification statement said that on March 12 it was alerted to "suspicious activity" and immediately launched an investigation.
On April 8, UC San Diego determined there was unauthorized access to some employee email accounts from Dec. 2, 2020, to April 8, the notification said.
Individuals' information that may have been accessed or acquired in the email account breach includes name, address, date of birth, email, fax number and claims information - including date and cost of healthcare services and claims identifiers, laboratory results, medical diagnoses and conditions, medical record numbers and other medical identifiers, UC San Diego said in its notification statement.
Other potentially compromised data includes prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password, the entity said.
The U.S. Department of Health and Human Services' HIPAA breach reporting website - which lists health data breaches affecting 500 or more individuals - shows that UC San Diego Health on June 8 reported the incident as an “unauthorized access/disclosure” breach affecting a network server and 333,000 individuals.
A UC San Diego Health spokeswoman, however, tells Information Security Media Group that the since-updated number of individuals affected by the data breach is 495,949 individuals.
UC San Diego Health Statement
UC San Diego Health declined ISMG's request for comment on the litigation.
In a statement Friday, however, the healthcare system noted that now that its investigation is complete, notifications to individuals whose data was affected were sent beginning Sept. 7, "on a rolling basis where contact information was available."
UC San Diego Health is offering one year of free credit monitoring and identity theft protection services to those affected.
In addition, the healthcare system says it has begun taking remediation measures to enhance its security controls. That includes, among other steps, changing employee credentials, disabling access points and enhancing security processes and procedures, the statement says.
"While there are a number of safeguards in place to protect information from unauthorized access, UC San Diego Health is also always working to strengthen them so we can further minimize the risk of this type of threat activity," the statement says.
Both lawsuits contend that the timeline - when the UC San Diego phishing incident occurred, when it was detected and mitigated, and when affected individuals were notified - is troubling.
The lawsuit complaint filed by plaintiff Richard Hartley on Sept. 22 alleges that once hackers obtained access to UC San Diego Health's systems on or around Dec. 2, 2020, "those malicious actors had easy access to the sensitive information stored by Defendants."
Although the healthcare system discovered suspicious activity on its systems on March 12, it took until April 8 for the entity to identify the incident as a “security matter" and "expel" the intruders, providing malicious actors four months to view and exfiltrate plaintiffs’ and class members' sensitive information, the complaint alleges.
While UC San Diego posted a notice of the data security incident on its website in late July, the healthcare provider did not begin notifying affected individuals until about Sept 9, the complaint notes.
"UC San Diego Health’s patients’ sensitive information is likely for sale on the dark web and … is still for sale to criminals," the lawsuit alleges.
As a healthcare provider, UC San Diego "knew, or should have known, the importance of safeguarding the patients’ sensitive Information entrusted to them and of the foreseeable consequences if their data security systems were breached," the complaint alleges.
Plaintiff Denise Menezes in her lawsuit filed on Sept. 20 lodges similar allegations.
The data breach occurred because UC San Diego Health "failed to implement reasonable security procedures and practices, failed to provide its employees with basic cybersecurity training designed to prevent 'phishing' attacks, failed to take adequate steps to monitor for and detect unusual activity on its servers, failed to disclose material facts surrounding its deficient data security protocols, and failed to timely notify the victims of the data breach," the complaint alleges.
Menezes alleges, among other claims, that UC San Diego Health should have implemented "industry-standard measures … long before the Data Breach occurred."
That includes installing software that scans all incoming messages for harmful attachments or malicious content, implementing security measures governing email transmissions, including Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance, the lawsuit contends.
Seeking Security Improvements
The two complaints allege a variety of claims, including negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence and violation of federal and state privacy-related laws.
Among other relief, the lawsuits seek damages and an injunction for UC San Diego Health to adopt stronger security practices to safeguard patients’ information from future incidents.
Lessons to Learn
Regulatory attorney Krystyna Monticello of the law firm Attorneys at Oscislawski LLC notes that while reporting requirements in states differ, "the HIPAA notification clock starts to run from the time of discovery, which can be a fact-sensitive determination. Under HIPAA, entities must report breaches affecting 500 or more individuals within 60 days of discovery.
"It may further take longer to determine whether, to what extent, and whose patient information was or may have been compromised," she notes. "Covered entities need to remain very conscious of any timing requirements during the course of what can be often protracted forensic analysis and investigation, and ensure their legal counsel remains involved in the process as well."
Regulatory attorney Paul Hales of the Hales Law Group notes that top leadership at other large entities should learn critical lessons from the UC San Diego Health situation as the litigation plays out.
"Analysis of large organization data breaches invariably exposes institutional failures that proper oversight would have identified and prevented," he notes. "It is high time all healthcare CEOs and boards learn it. Rampant medical identity theft threatens each patient’s safety and financial well-being," he says.
"The plaintiffs in both cases have alleged the UC San Diego Health breach has caused real harm to them and the class they represent. Certainly the breached information can be used to steal their financial and medical identity and cause them to suffer great harm."
Nonetheless, for a federal case, plaintiffs must demonstrate they have standing by proving they suffered actual concrete harm, he notes. "The Supreme Court of the United States put it succinctly in June of this year in a case called TransUnion LLC v. Ramirez, “To have Article III standing to sue in federal court, plaintiffs must demonstrate, among other things, that they suffered a concrete harm. No concrete harm, no standing.”