A cancer patient in California is taking UC San Diego Health to court over a data breach last winter that potentially exposed the personal and medical information of nearly half a million patients, employees and others.
Denise Menezes, of El Cajon, has accused the healthcare provider of negligence, breaching contract and going against state consumer and privacy and medical confidentiality laws in the litigation by failing to utilize reasonable security practices and train employees efficiently on how to avoid phishing scams, according to Healthcare IT News.
She also criticized it for taking too long to notify patients and for lacking procedures necessary to identify the intrusion quickly. She claims that the breach violates HIPAA privacy and security rules, reported The San Diego Tribune.
The healthcare system made the attack public knowledge in July, saying that a phishing scam between December and April led to unauthorized access of certain email accounts. Named in the suit are Reagents of the University of California who are doing business at UC San Diego Health. The university declined The Tribune’s request for comment.
“Patients should trust that their most private medical results will not be made public, and that their medical visits will not leave them at risk for identity theft. This breach was preventable — had UC San Diego Health had the right data protection protocols in place,” San Diego Attorney Jason Hartley, who is working with lead counsel Stueve Siegel Hanson of Kansas City, told The Tribune.
The breach includes full names, addresses, dates of birth, email addresses, fax numbers and claims information such as dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information and treatment information. Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames and passwords also may have been hacked.
For Menezes, who is being treated for breast cancer, her full name, claims information, medical record number and treatment information were exposed in the incident, according to Healthcare IT News.
Working with external cybersecurity experts, UC San Diego Health launched an investigation and reported the breach to the FBI. It began notifying 495,949 patients earlier this month of the event on a rolling basis where contact information is available, reports The Tribune.
It previously posted a general notice about the incident on its website back in June, although this “did not identify which specific patients were impacted and was inadequate to affirmatively alert individuals impacted by the data breach to take measures to protect themselves,” said Menezes’ complaint.
In a statement, UC San Diego Health said that it has since changed employee credentials, disabled access points on its network and enhanced security processes. “While there are a number of safeguards in place to protect information from unauthorized access, UC San Diego Health is also always working to strengthen them so we can further minimize the risk of this type of threat activity.”
UC San Diego Health is offering one year of free credit monitoring and identity theft protection services through IDX, a data breach remediation service, to potentially affected individuals. Its coverage includes a $1 million insurance reimbursement policy and fully managed identity theft recovery.