LOS ANGELES (CN) – UCLA Health Systems’ failure to encrypt patients’ medical and financial information exposed 4.5 million of them to a hacker attack, which UCLA knew six months before it told them, a patient claims in a federal class action.
Michael Allen claims UCLA Health Systems Auxiliaries violated its contractual obligation to protect the personal information of its patients. He sued the UCLA hospitals and the University of California Board of Regents on Monday, on behalf of “several millions of individuals.”
Allen, of Casper, Wyo., was treated at a UCLA Health Center in February 2013. He claims that the personal information he gave the hospital “was left in an unencrypted state and stolen by cyber thieves.”
“Due to defendants’ failure to take the basic steps of encrypting patients’ data, it was much easier for cyber thieves to interpret the information, use it to steal the identities of defendants’ patients or sell [it] to others,” Allen says in the complaint.
A months-long hacker attack targeted UCLA Health Systems, which admitted it did not take steps to encrypt patients’ data, the Los Angeles Times reported.
The unknown hackers got names, birth dates, Social Security numbers, medical information, ID numbers for Medicare and health insurance policies, and other information, according to the Times.
“We have notified and are working with the Federal Bureau of Investigation regarding this cyber attack. We continue to investigate the attack with help from third-party computer forensics experts,” UCLA Health Systems said on its Web page . It said it detected the attacks on May 5, and that they may have begun as early as September 2014.
Allen says UCLA Health Systems noticed “suspicious activity” on its computer systems in or around October 2014, but did not begin notifying patients until July 17 – the day the LA Times published its story.
“Underscoring its dilatory response, defendants are still delaying notifying individual consumers affected by the breach,” Allen says in the lawsuit.
He seeks class certification and damages for fraud, violation of medical confidentiality unlawful business practices, invasion of privacy, breach of contract and negligence, and unjust enrichment, and costs of suit.
He is represented by Kevin Mahoney of Long Beach, who was not immediately available for comment Wednesday.
- Splinter Band of Pomo Seeks Tribal Status
- Arthur V. Cervantes, individually and on behalf of all v. Chad Dickerson