127 UCLA Medical employees implicated in privilege abuse
Technorati Tag: Security Breach
Date Reported:
8/4/08
Organization:
UCLA Medical Center
Contractor/Consultant/Branch:
None
Victims:
Patients, including celebrities*
*The celebrity factor makes this breach more sensational in the eyes of most mainstream media.
Number Affected:
Unknown
Types of Data:
Names, addresses, health information and Social Security numbers among other sensitive information
Breach Description:
"LOS ANGELES (AP) — More than 120 workers at a Los Angeles hospital looked at celebrities' medical records and other personal information without permission between January 2004 and June 2006 — nearly double the number initially reported earlier this year, according to a state report."
Reference URL:
The Mercury News
USA Today
Los Angeles Times
AHN
Report Credit:
Charles Ornstein, Los Angeles Times (Props to Mom)
Response:
From the online sources cited above:
Even after UCLA Medical Center warned employees that it was cracking down on unauthorized access to medical records, the privacy of a "well-known individual" was breached by two nurses and an emergency room technician who called up the patient's computerized records in mid-April, according to a critical state report released Monday.
The California Department of Public Health also found that nearly twice as many medical center employees as had previously been reported peeked at confidential medical records at UCLA.
[Evan] If the state had not audited the hospital, would these breaches have ever been noticed? I am not a big fan of government oversight or additional laws and regulations, but this breach may present a valid argument to support them. When an organization does not adequately protect sensitive information, the consequences sometimes end up costing us all more.
Nearly 60 additional employees gained improper access to records between January 2004 and June 2006, the report said, bringing the total number of workers implicated in the growing scandal to 127.
[Evan] 127 workers were found to have gained improper access to personal records!? This is an epidemic at the UCLA Medical Center. Of course, I have to wonder if this is limited to the UCLA Medical Center or if this is a more wide spread problem throughout the medical industry. Let's not forget the numerous reports of IT personnel, customer support personnel, accounting personnel and others of abusing their access privileges in other industries too.
Monday's report was the fifth by the public health agency following articles in The Times this year about UCLA employees' prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.
[Evan] There probably wouldn't be over 300 results for a simple "UCLA Medical Center" search in Google News if it weren't for the celebrity factor.
State regulators continue to fault the hospital for failure to take adequate steps to maintain patient confidentiality.
After the April violations, the report said, one nurse was fired and the two other employees received warnings.
The latest findings detail how one employee -- a former administrative specialist who faces federal criminal charges for violating Fawcett's privacy -- looked at the records of 939 patients "without any legitimate reason" from April 2003 to May 2007.
In previous reports, the state had linked her to viewing the records of about 60 patients.
She also looked at other personal information, including Social Security numbers, the state now says.
"What we're seeing here is a clear pattern of repeated violations of patient medical records and patient confidentiality by UCLA," said Kim Belshe, secretary of the state's Health and Human Services Agency. "It is absolutely unacceptable."
Kathleen Billingsley, director of the state health department's Center for Healthcare Quality, confirmed that 127 UCLA workers have been implicated and said investigations into other breaches at the hospital continue.
"What's startling to us is, as we get to a point where we feel we've addressed a specific complaint and a specific issue, we identify additional issues," she said. "It's very disturbing to see this."
[Evan] This is not all that uncommon in an assessment or audit. One thing leads to another which leads to another and on and on. We most often find that the #1 cause of cascading issues is poor information security governance (at the top). It is much harder to retrofit a poorly secured system with security than it is to integrate it from the start.
The hospital said it has notified all patients whose privacy was breached by the indicted woman, Lawanda Jackson
A major finding of the state's new report on UCLA is that Jackson was able to view the records of more than 900 people by using her supervisor's password.
According to a document reviewed by The Times, the supervisor whose password Jackson used is Alice Chan. Chan, who still works at UCLA as an intensive care unit director, declined to comment.
[Evan] If Alice Chan knowingly provided Lawanda Jackson with her password, then shouldn't she be held accountable as well? People should be instructed that a password is confidential information and MUST be held in strict secrecy. We instruct users to never disclose a password to anyone. If a password is the sole authenticator, it is the only information that "proves" that you are who you say you are to the "system". I only know what I read in regards to this breach, but I can tell you that people are fired everyday for much lesser infractions.
Officials were able to connect Jackson to each case by examining her workstation
When reached by phone Monday afternoon, Jackson said, "I don't have any comment."
In April, she told The Times that she was "being nosy" when she looked at celebrity records.
"I didn't leak anything or anything like that," she said at the time. "It wasn't for money or anything. It was just looking."
Jackson was indicted by a federal grand jury April 9 on a charge of obtaining individually identifiable health information for commercial advantage.
Fawcett and her lawyers allege that Jackson leaked personal information about Fawcett's battle with cancer to the National Enquirer and other tabloids.
(The hospital) has updated its systems to block complete Social Security numbers from its main clinical systems
[Evan] I think that this is a good idea. It's too bad that bad things had to happen first. Other organizations should take heed and address information security concerns before something bad happens is publicized. I read an estimate somewhere that stated something like for every dollar spent on prevention, seven dollars is saved in loss and reaction.
It also has initiated new training on privacy for all staff and is enhancing security in its records systems.
"We have no excuses," Dr. David Feinberg, chief executive of the UCLA Health System, said in a statement. "UCLA should have detected the violations by Ms. Jackson years ago and should have immediately initiated the process to dismiss her."
[Evan] I think this is the most intelligent response I have read in my time commenting on over 450 breaches. Coming from the chief executive adds to the significance.
Feinberg said the medical center continues to investigate.
"All other employees who were found to have violated patient confidentiality during our review have been disciplined, including some who have been terminated," he said. "On behalf of the entire leadership of the UCLA Health System, I am deeply sorry for this failure, and the personal distress these breaches may have caused."
Of the 59 employees newly linked to the breaches, 24 still worked at UCLA when they were identified, the state said
[Evan] If these 24 employees who still work at UCLA knowingly violated policy, then in my opinion it's tough to justify keeping them around.
The hospital has proposed firing seven, suspending six for two to three weeks each and providing verbal or written warnings to eight others
Three remain under investigation.
"Californians have every right to expect their medical records to be safeguarded and protected, and I am alarmed about repeated violations of patient confidentiality and the potential harm to the citizens of this state," Schwarzenegger said in a statement.
[Evan] The Governator speaks. His statement makes sense to me.
"By putting financial penalties in place for those employees and facilities that do not follow these laws, this legislation will lead to better care for all Californians."
Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation.
Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.
[Evan] In my experience (limited), hospitals don't have a lot of money to spend on security to begin with. It seems like their IT staff and information security personnel are typically underpaid too. This is a dilemma.
In his statement, Feinberg said UCLA would continue to devote its attention to improving patient privacy.
"We can't undo the wrongs of the past," he said. "But we can and are redoubling our efforts to not only improve our training and security systems, but to create a culture where this type of behavior will not take place."
Commentary:
In my opinion, Mr. Ornstein at the Los Angeles Times put together an excellent article for this story.
Past Breaches:
Numerous
Date Reported:8/4/08
Organization:
UCLA Medical Center
Contractor/Consultant/Branch:
None
Victims:
Patients, including celebrities*
*The celebrity factor makes this breach more sensational in the eyes of most mainstream media.
Number Affected:
Unknown
Types of Data:
Names, addresses, health information and Social Security numbers among other sensitive information
Breach Description:
"LOS ANGELES (AP) — More than 120 workers at a Los Angeles hospital looked at celebrities' medical records and other personal information without permission between January 2004 and June 2006 — nearly double the number initially reported earlier this year, according to a state report."
Reference URL:
The Mercury News
USA Today
Los Angeles Times
AHN
Report Credit:
Charles Ornstein, Los Angeles Times (Props to Mom)
Response:
From the online sources cited above:
Even after UCLA Medical Center warned employees that it was cracking down on unauthorized access to medical records, the privacy of a "well-known individual" was breached by two nurses and an emergency room technician who called up the patient's computerized records in mid-April, according to a critical state report released Monday.
The California Department of Public Health also found that nearly twice as many medical center employees as had previously been reported peeked at confidential medical records at UCLA.
[Evan] If the state had not audited the hospital, would these breaches have ever been noticed? I am not a big fan of government oversight or additional laws and regulations, but this breach may present a valid argument to support them. When an organization does not adequately protect sensitive information, the consequences sometimes end up costing us all more.
Nearly 60 additional employees gained improper access to records between January 2004 and June 2006, the report said, bringing the total number of workers implicated in the growing scandal to 127.
[Evan] 127 workers were found to have gained improper access to personal records!? This is an epidemic at the UCLA Medical Center. Of course, I have to wonder if this is limited to the UCLA Medical Center or if this is a more wide spread problem throughout the medical industry. Let's not forget the numerous reports of IT personnel, customer support personnel, accounting personnel and others of abusing their access privileges in other industries too.
Monday's report was the fifth by the public health agency following articles in The Times this year about UCLA employees' prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.
[Evan] There probably wouldn't be over 300 results for a simple "UCLA Medical Center" search in Google News if it weren't for the celebrity factor.
State regulators continue to fault the hospital for failure to take adequate steps to maintain patient confidentiality.
After the April violations, the report said, one nurse was fired and the two other employees received warnings.
The latest findings detail how one employee -- a former administrative specialist who faces federal criminal charges for violating Fawcett's privacy -- looked at the records of 939 patients "without any legitimate reason" from April 2003 to May 2007.
In previous reports, the state had linked her to viewing the records of about 60 patients.
She also looked at other personal information, including Social Security numbers, the state now says.
"What we're seeing here is a clear pattern of repeated violations of patient medical records and patient confidentiality by UCLA," said Kim Belshe, secretary of the state's Health and Human Services Agency. "It is absolutely unacceptable."
Kathleen Billingsley, director of the state health department's Center for Healthcare Quality, confirmed that 127 UCLA workers have been implicated and said investigations into other breaches at the hospital continue.
"What's startling to us is, as we get to a point where we feel we've addressed a specific complaint and a specific issue, we identify additional issues," she said. "It's very disturbing to see this."
[Evan] This is not all that uncommon in an assessment or audit. One thing leads to another which leads to another and on and on. We most often find that the #1 cause of cascading issues is poor information security governance (at the top). It is much harder to retrofit a poorly secured system with security than it is to integrate it from the start.
The hospital said it has notified all patients whose privacy was breached by the indicted woman, Lawanda Jackson
A major finding of the state's new report on UCLA is that Jackson was able to view the records of more than 900 people by using her supervisor's password.
According to a document reviewed by The Times, the supervisor whose password Jackson used is Alice Chan. Chan, who still works at UCLA as an intensive care unit director, declined to comment.
[Evan] If Alice Chan knowingly provided Lawanda Jackson with her password, then shouldn't she be held accountable as well? People should be instructed that a password is confidential information and MUST be held in strict secrecy. We instruct users to never disclose a password to anyone. If a password is the sole authenticator, it is the only information that "proves" that you are who you say you are to the "system". I only know what I read in regards to this breach, but I can tell you that people are fired everyday for much lesser infractions.
Officials were able to connect Jackson to each case by examining her workstation
When reached by phone Monday afternoon, Jackson said, "I don't have any comment."
In April, she told The Times that she was "being nosy" when she looked at celebrity records.
"I didn't leak anything or anything like that," she said at the time. "It wasn't for money or anything. It was just looking."
Jackson was indicted by a federal grand jury April 9 on a charge of obtaining individually identifiable health information for commercial advantage.
Fawcett and her lawyers allege that Jackson leaked personal information about Fawcett's battle with cancer to the National Enquirer and other tabloids.
(The hospital) has updated its systems to block complete Social Security numbers from its main clinical systems
[Evan] I think that this is a good idea. It's too bad that bad things had to happen first. Other organizations should take heed and address information security concerns before something bad happens is publicized. I read an estimate somewhere that stated something like for every dollar spent on prevention, seven dollars is saved in loss and reaction.
It also has initiated new training on privacy for all staff and is enhancing security in its records systems.
"We have no excuses," Dr. David Feinberg, chief executive of the UCLA Health System, said in a statement. "UCLA should have detected the violations by Ms. Jackson years ago and should have immediately initiated the process to dismiss her."
[Evan] I think this is the most intelligent response I have read in my time commenting on over 450 breaches. Coming from the chief executive adds to the significance.
Feinberg said the medical center continues to investigate.
"All other employees who were found to have violated patient confidentiality during our review have been disciplined, including some who have been terminated," he said. "On behalf of the entire leadership of the UCLA Health System, I am deeply sorry for this failure, and the personal distress these breaches may have caused."
Of the 59 employees newly linked to the breaches, 24 still worked at UCLA when they were identified, the state said
[Evan] If these 24 employees who still work at UCLA knowingly violated policy, then in my opinion it's tough to justify keeping them around.
The hospital has proposed firing seven, suspending six for two to three weeks each and providing verbal or written warnings to eight others
Three remain under investigation.
"Californians have every right to expect their medical records to be safeguarded and protected, and I am alarmed about repeated violations of patient confidentiality and the potential harm to the citizens of this state," Schwarzenegger said in a statement.
[Evan] The Governator speaks. His statement makes sense to me.
"By putting financial penalties in place for those employees and facilities that do not follow these laws, this legislation will lead to better care for all Californians."
Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation.
Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.
[Evan] In my experience (limited), hospitals don't have a lot of money to spend on security to begin with. It seems like their IT staff and information security personnel are typically underpaid too. This is a dilemma.
In his statement, Feinberg said UCLA would continue to devote its attention to improving patient privacy.
"We can't undo the wrongs of the past," he said. "But we can and are redoubling our efforts to not only improve our training and security systems, but to create a culture where this type of behavior will not take place."
Commentary:
In my opinion, Mr. Ornstein at the Los Angeles Times put together an excellent article for this story.
Past Breaches:
Numerous
Posts Atom 1.0
Comments