The facts as explained by UCLA (https://www.uclahealth.org/pages/data2015.html) explain that 4.5 million individuals’ health records were accessed as early as September 2014 with information including, “…name, address, date of birth, social security number, medical record number, Medicare or health plan ID number, and some medical information (e.g., medical condition, medications, procedures, and test results),” (same cite as above).
But what I really like is the way UCLA is spinning the hack. Likely other companies addressing such unauthorized access will learn a thing or two when it comes to disclosing security failures that compromise consumer personal data. Consider the above-stated facts and what they don’t reveal…The first part of spin.
Why UCLA waited so long to disclose the breach? UCLA Health’s Tod Tamberg, according to CNNMONEY on 7/17/2015 (http://money.cnn.com/2015/07/17/technology/ucla-health-hack/) stated that “…addressing…issues…and…identifying and notifying the potentially affected individuals was time-consuming.”
Why social security numbers are still available in records? After all, in 2006, in an article entitled, “Lessons from the UCLA Hack Attack,” by Jeremy Caplan, 12/12/2006, that appeared in TIME, (http://content.time.com/time/nation/article/0,8599,1569163,00.html) which discussed a hack into the UCLA UNIVERSITY system the number-one goal was to “…not to have Social Security numbers there in the first place," according to UCLA’s Jim Davis.
Why doesn’t HIPAA work? HIPAA is a real waste of government money because there’s little downside in terms of money unless gross negligence or intent is proven for hospitals. You need go no further than July 7, 2011 to see how ridiculously our taxpayer dollars are wasted on HIPAA administration.
In 2011, UCLA Health System was fined $865,000, virtually a junk fine to the Health System after complaints by celebrities that their health records had been disclosed leading to the discovery that the breaches had possibly been occurring since 1995 (You can read about this at http://www.computerworld.com/article/2510066/data-privacy/ucla-medical-center-agrees-to-settle-hipaa-violation-charges-for--865k.html in an article for Computerworld by Jaikumar Vijayan.
So, let’s get this straight. In 2011 UCLA Health Systems were required to pay a virtual junk charge of $865,000 for HIPAA violations disclosing patient information that dated back possibly to 1995. In 2011, according to the same article, “The corrective plan requires the hospital to implement HHS-approved security and privacy procedures, as well as to conduct ‘regular and robust’ training of all UCLA health system employees that use protected health information.”
So can we assume that UCLA had HHS-approved security and privacy procedures? Naturally, the fine was imposed because in the 2011 instance it was found that EMPLOYEES were breaching patient privacy so UCLA now focuses on it being OUTSIDE hackers. Still, one must wonder, if this is how a health system with a corrective plan in place manages its security…
Now for the spin of things mentioned in the press release. We know that HIPAA is very forgiving of all data breaches, usually imposing at most a nominal junk charge EXCEPT where gross negligence or fraudulent intent is proven. It’s a high standard that’s rarely met. The, “It’s not my fault defense,” is worth real money to health systems under HIPAA.
So we have the magic spin of, “It’s not my fault,” statements:
“We work hard to protect personal information,” “We take our responsibility to protect personal information entrusted to us very seriously,” “Our patients always come first and we are working diligently to strengthen the security of our networks,” (https://www.uclahealth.org/pages/data2015.html).
Then the magic of, “Not you but WE (UCLA) are the victims,” shifting the focus to poor UCLA Health System:
The heading of the press release sets the tone: “UCLA Health Victim of a Criminal Cyber Attack” Then, “UCLA Health was the victim of a criminal cyber attack.”
Having shifted blamed to the nameless, faceless hackers, UCLA’s next job is to minimize panic. Cleverly they distort the timeline to do this.
UCLA acknowledges that it first noticed “suspicious activity in October 2014.” The Health System walks a fine line here because the benefit of making the hack seem like OLD NEWS (though it likely is ongoing since there's been no fix described) must be balanced with failure to meet HIPAA notification guidelines (60 days after discovery).
UCLA escapes flagrant ignoring of HIPAA by explaining that though it knew of the hack it didn't know the hack involved personal medical information which would trigger HIPAA requirements. Instead, UCLA Health System claims that from October 2014 until May 2015 it didn’t know that personal information had been accessed, only after May 2015.
Naturally, even pushing the date from 10/2014 to 5/2015 doesn't explain why it took another 10 weeks (rather than 60 day limit imposed by HIPAA) for notification other thaan the assertion that the process is "time consuming."
After emphasizing that it has no idea how or if the medical information has or will be used, UCLA goes into its credit-card style provision of credit monitoring and identity theft insurance it will provide at no cost for a period of time.
The first major difficulty for consumers is that there’s little downside financially and much upside for insurers, hospitals and healthcare providers to cut corners on protecting consumer information. Security is expensive and likely hospitals will whine that they have to raise prices on care to consumers to cover the costs of having decent cyber-security which will shut up many consumers. But who’s paying for all the AFTER-THE-FACT actions such as hiring security firms, revamping systems, and credit monitoring for affected patients? Certainly those costs will ultimately rival the claimed “savings” of having shoddy security.
The second major hurdle for consumers is that identity theft laws that effectively provide individuals with DAMAGES based on the breach itself, rather than proving “fault” and "damages" don’t exist. The mere fact that unauthorized disclosure is made should provide consumers with an automatic cause of action for a damages amount without having to "PROVE" that the data breach caused them harm. This is necessary because there is no time limit on when information can be misused and because even in the instances of identity theft hospitals would argue damages could have come from some other leak of information from credit cards, et cetera that get them out of trouble. Without facing the automatic loss of real money to the real victims of identity theft, the individuals, corporate double-talk and weak laws prevent individuals from having access to money damages.
The third major hurdle for consumers is that we have NO CHOICE but to opt into systems that have proven themselves inadequate. Usually customers can vote with their feet, go elsewhere. But breach is industry standard and in order to obtain medical services we MUST submit to compromising our own privacy.
UCLA’s press release is a work of fanciful art that covers all the major touch-points to point blame at others, make themselves the “victims,” show that they’re “trying” to fix the problem. But as in other cases the UCLA hack really shows how ineffective HIPAA is in protecting consumers, indicates how little recourse individuals affected have to compensation for the unauthorized release of their records by institutions that force them to provide those records in the first place and how inadequate current security standards are.
