A UCLA employee and patient now has celebrity-level security on her protected health information (PHI) as maintained by the UCLA Health system, but a jury denied her the $1.25 million in emotional distress damages she sought after a romantic rival improperly accessed that PHI and texted it to others.
Norma Lozano, a UCLA medical assistant, brought suit in April 2013, after learning that her romantic rival—now married to her ex-boyfriend—had improperly gained access to Lozano’s PHI and texted it to others, including Lozano’s ex. The rival was employed by a non-UCLA physician who had access to the UCLA Health system as a community affiliate physician. The physician (who settled with Lozano before trial), admitted that he had given his UCLA Health system access credentials to his office staff, including to Lozano’s rival, who in turn improperly used it to access, photograph, and text Lozano’s PHI.
After returning the defense verdict, jurors explained that they felt that UCLA Health was not the proper target of Lozano’s suit. Jurors said they felt the policies and procedures UCLA Health had in place were sufficient under the circumstances, even though not all patients were afforded celebrity-level data security for their PHI.
Such enhanced information security requires users to enter their password a second time for access and to specify a legitimate reason for access. It is typically afforded to celebrities, public figures and others with special need for an extra layer of information security. (At UCLA Health, it may have been implemented as part of the changes inspired by an $865,000 settlement with federal regulators in 2011 after the information of several celebrities had been repeatedly inappropriately accessed by system employees.) Lozano now has it, too, but she and her attorneys had argued that all UCLA Health patients should have had it from the beginning. The jury disagreed.
Notably, Lozano’s suit was already pending when, earlier this summer, UCLA announced a much larger data breach involving the PHI of roughly up to 4.5 million patients, beginning as early as September 2014. A number of potential class actions now allege that UCLA didn’t do enough to protect PHI and improperly delayed in announcing the breach. Those new cases are presently pending.
While the jury in this UCLA Health case seems to have agreed that celebrity-level security is not required for every patient, entities in possession of PHI may wish to consider analyzing for efficacy any varied levels of information security protection applicable to PHI. Similarly, those entities may wish to consider reminding all users with access to PHI about the importance of keeping individual username and password information private and secure, even from those assisting in the handling of PHI, who typically have their own usernames and passwords with appropriate levels of access if needed. As noted in our recent post “Data Breach Costs Surge Again”, data breaches in healthcare are the most expensive to remediate, at a cost of nearly $400 per health record.