Health Care Informatics and System Breaches

Information Technology Breaches at a Healthcare Company:

UCLA Health and Implications for the Future

As our organization knows all too well, healthcare data breaches are occurring with alarming frequency. But just as hackers have more and more tools at their disposal to cope with such breaches, we too as healthcare IT experts, managers, and providers have more tools to guard against them. Online records have significantly improved patient care through comprehensive, sharable records. In wrong or inexpert hands, sharing of data can harm rather than heal. “The frequency of healthcare data breaches, magnitude of exposed records, and financial losses due to breached records are increasing rapidly” (Seh, 2020, par.1) Understanding how and why they have occurred in the past is important to ensure that they do not occur at our institution in the future.

Summary Statement

A good example of a recent data breach which ultimately resulted in legal action is the 2015 breach which occurred at one of the major university health systems in the United States. UCLA Health System’s failure to undertake appropriate data encryption measures resulted in the exposure of user information including Social Security numbers, health plan identification numbers, and personal medical and other identifying information of millions of patients in the UCLA system (Adler, 2020). Patients were not made aware of this until months after the data breach, further compounding the scandal.

Background

The reasons for the Health Insurance Management Systems (HIMS) breach are familiar ones. Firstly, UCLA did not perform due diligence and encrypt its patient data (Firestone, 2020). Although this has been a factor in other major data breaches of retail organizations, such as Target, UCLA Health’s was also a breach of the Health Insurance Portability and Accountability Act (HIPAA) (Firestone, 2020). Secondly, the organization was unwilling to admit failures. As always, the coverup is often worse than the crime. When evidence of how its carelessness was revealed, instead of being honest and transparent, UCLA Health waited months before revealing it was well aware the breach had occurred, thus magnifying the challenges of the victims taking steps they might wish to embark upon to secure their identities, such as credit monitoring (Adler, 2020). But this “circle the wagons” mentality itself may be one of the causes of the breach, or the simple fact that the organization is unwilling to be upfront with users about its weaknesses.

Thirdly, there is also evidence that healthcare institutions, such as UCLA and, of course, ours, are particularly vulnerable to such breaches. The degree to which internal misuse rather than outside incursions are responsible for the majority of breaches in healthcare is relatively unique. And fourth, while the reasons insiders are mainly responsible vary, one reason may be a lack of technological familiarity with many healthcare workers, who may be better versed in technology specific to healthcare provision, versus data recording. In the case of UCLA, inadequate precautions taken by healthcare personnel in regards to IT may have been manifest because priority was given to healthcare system operations from a patient treatment perspective, rather than a data perspective.

Of course, another reason healthcare breaches are so significant are that such significant patient data is stored within its files. In the case of this particular breach, patient privacy and information security were significantly compromised. Social Security numbers, along with dates of birth, addresses, names, and Medicaid IDs can enable individual’s identities and credit information to be impacted, and all were stolen in the breach (Adler, 2019). They can also be used to apply for loans such as mortgages and new credit cards. As well as obtaining money, Social Security and other forms of identifying information can be sold to individuals wishing to conceal their identity, such as persons who are in the country illegally or criminals.

In addition to the risk to victim’s financial data, victims were also forced to suffer the additional difficulty of having to cancel credit cards, monitor their credit, and even though they were offered free credit monitoring, this still is a significant time and psychological burden that cannot be easily relieved. As patients of a healthcare institution, they had invested the organization with a significant degree of trust. The idea of their privacy being impinged upon in the area of their lives which they value the most could be psychologically damaging even to someone who was mentally healthy, and many individuals with physical health problems also have significant mental health problems.

Because UCLA Health did contact the FBI when it noticed suspicious activity on its website in 2014, the Department of Health and Human Services’ Office for Civil Rights did not hold the institution at fault, and approved of the new measures UCLA Health undertook to improve security and safeguard patient data in the future (Adler, 2014). However, because of the lack of transparency and prolonged foot-dragging on the part of the institution in telling the affected patients, a class action lawsuit was initiated, and ultimately resulted in a $7.5 million settlement against UCLA Health (Adler, 2014). The institution received negative publicity as a result, and generated pubic ill will.

Leadership reactions, in short, were not entirely a failure, given they did reach out to authorities and admit their flaws. But there was no attempt to address the understandable concerns of consumers, and a threat to consumer identity which was very real. The leadership underestimated the threat of a lawsuit because of the judgement of the Department of Health and Human Services, and the costs of litigating the suit, financially and personally.

Recommendations

Thus, three significant outcomes for the institution included a significant payment to affected persons, a reputation as an institution which was not transparent regarding data breaches, and significant cost, as part of the settlement, patients were entitled to a maximum of $5,000 per patient to take additional steps to secure their identity and up to $20,000 for any losses or damage caused by the carelessness of the health system (Adler, 2019, par.3). The system was flagged for its nontransparent and faulty leadership, which might have negative implications regarding attracting future patients’ trusting their health and personal information to the institution. And finally, in future, the organization must bend over backwards to take even more stringent precautions with data protection.

Overall, even though the payout was the result of a class action lawsuit, versus compelled by a government agency, to require an institution to take steps to make amends for its errors seems both part of good healthcare ethics as well as good business practice. Our own institution must learn from the lessons of UCLA Health. First, we must constantly review the robustness of our encryption and data. Secondly, it is critical to ensure that data security and appropriate security hygiene is incorporated into orientation and continuing education programs for staff, to foster a culture where security is a priority (Hossain & Hong 2020). Finally, if there is a breach, there should be procedures already in place through which to inform patients (and employees) and a plan to mitigate the damage, versus waiting until the courts or regulators impose one.