UCLA cleared in data breach lawsuit
A court has found that the UCLA Health System is not responsible for the unauthorized release of information from a woman's medical record and therefore the organization does not have to pay the $1.25 million the plaintiff sought for emotional distress and invasion of privacy.
The plaintiff, Norma Lozano, alleged that an employee used a physician's login information to access her medical record, then took photos of and distributed data from the record. The employee was romantically involved with Lozano's ex-boyfriend and the shared information revealed she had a sexually transmitted disease.
Lozano accused UCLA of not doing enough to prevent unauthorized access of her medical records, including enabling a second form of security before the breach occurred.
The hospital claimed that it should not be held responsible for the misconduct.
Lozano's case focused on a second layer of security but that might not have prevented the breach because it requires users of UCLA’s EMR to enter their password twice, as well as providing a reason for viewing the record.