Kusserow on Compliance: Once again, UCLA cited for PHI security breaches

On September 1, 2015, UCLA issued a notice of a new breach as result of a laptop being stolen that contained personal health information (PHI). Some 1,242 individuals’ data were on that laptop, including names, medical record numbers, and other health information. However, Social Security numbers, credit card numbers, and other financial information were not on the laptop. This breach followed shortly after another larger breach in July 2015 where hackers broke into their Health System’s computer network. That breach, which resulted in part because UCLA failed to take the basic step of encrypting patient data, may have compromised as many as 4.5 million patients’ information.

These two recent breaches are not the first for UCLA. In 2008, UCLA had a problem when individuals were found prying into the medical records of celebrities, including Britney Spears, Farrah Fawcett, and Maria Shriver, among others, leading to one person being convicted of selling celebrity medical information to the National Enquirer. UCLA paid $865,500 in a settlement for this breach with the HHS Office for Civil Rights (OCR). In addition to the burden of having to send a huge volume of letters to affected persons, something no health care provider likes to do, a breach also requires the institution to pay the penalty of having undesirable publicity.

The OCR has estimated that more than 41 million people have had their PHI compromised in privacy and security breaches; however the true number is much greater because most breaches involve less than 500 individuals and, therefore, are not subject to public disclosure. The OCR continues to report settlements with providers, including a notable settlement with Cancer Care Group, P.C., for $750,000 for another lost laptop that contained the PHI of 55,000 patients.

This is a reminder that even large and sophisticated systems continue to be vulnerable to security breaches. This trend is likely to continue because the health care sector is driven too quickly to build large enough systems to house the huge amount of data each organization maintains and, in some cases, to convert paper records to digital patient information. The rapid pace development of these huge data warehouse leads to control weaknesses. In addition, there is the continuing problem of individuals not following security procedures, especially on laptop and flash drives, or being careless with leaking information on notable patients. The OCR records indicate the most common types of entities with breach vulnerability problems are physician practices, hospitals, and outpatient facilities with the most common reported problems involving inadequate administrative safeguards of electronic data, and disclosure of more than the minimum necessary information.

Lessons learned

  • Conduct baseline security reviews of systems containing PHI.
  • Do not rely solely upon in-house IT professionals, who may lack understanding or a relationship to the specific security requirements.
  • Place particular focus on laptops and flash drives to ensure password use and encryption.
  • Concentrate technical reviews on proper encryption and security application.
  • Review technical safeguards down the chain (i.e., business associates).


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.