Cancer patient sues UCSD Health over 500K-record info breach

A individual in El Cajon, California, sued University of California, San Diego Health this earlier week over a protection breach that perhaps uncovered the non-public details of 495,949 patients.  

The plaintiff, Denise Menezes, is raising allegations of negligence, breach of deal, breach of confidence, and the violation of California’s regulations about medical privacy and unfair opposition.   

She is searching for class-motion status.  

“The knowledge breach transpired simply because UC San Diego Health failed to put into practice affordable protection procedures and methods, failed to give its personnel with simple cybersecurity instruction made to prevent ‘phishing’ assaults, failed to consider ample measures to watch for and detect strange action on its servers, failed to disclose product facts encompassing its deficient knowledge protection protocols and failed to well timed notify the victims of the knowledge breach,” go through the criticism, which was filed in California federal court.

UC San Diego Health associates explained the university cannot remark on pending litigation. 

WHY IT Matters  

According to the criticism, Menezes is remaining treated for breast cancer at UC San Diego Health’s Moores Cancer Center.

In September 2021, she been given a see informing her that she was among the people whose knowledge – like, in her scenario, comprehensive title, promises details, medical file range and treatment method details – had been uncovered in a phishing incident. 

According to UC San Diego Health, the hackers may perhaps have had accessibility to non-public details for months.  

Nonetheless, “UC San Diego Health’s letter made more queries than it answered,” in accordance to the criticism.  

Menezes’ lawyers say UC San Diego Health waited months to get in contact with person people, despite publishing a common see about the incident in June.  

“Of class, a website posting did not detect which particular people had been impacted and was insufficient to affirmatively inform individuals impacted by the knowledge breach to consider measures to secure them selves,” explained the criticism.  

They also say the letter is “downplaying the risk of misuse,” and missing key details about the incident or the hackers’ identities.  

“As a consequence of the knowledge breach, Ms. Menezes has expended time and exertion investigating the breach and reviewing her economical and medical account statements for proof of unauthorized action, which she will keep on to do for decades into the future,” explained the criticism.  

The criticism says that UC San Diego failed to comply with simple tips and pointers that would have prevented the breach from transpiring, stressing the negative effects of medical identity theft.  

“Each knowledge breach increases the likelihood that a victim’s particular details will be uncovered to more individuals who are searching for to misuse it at the victim’s price,” explained the criticism.  

“Now that the investigation is complete, notifications to individuals whose knowledge was impacted had been despatched commencing September 7, 2021, on a rolling basis the place get hold of details was available,” explained UC San Diego Health associates in response to a ask for for remark.

“UC San Diego Health labored intentionally, though using treatment to give correct details, as quickly as it could,” they extra, noting that the college organized for individuals whose knowledge was impacted to obtain a person calendar year of cost-free credit score checking and identity theft safety services by means of IDX.

“In addition to these actions, UC San Diego Health commenced using remediation measures to enrich their protection controls which have integrated, among other measures, changing employee qualifications, disabling accessibility factors, and boosting protection processes and procedures,” explained the associates. “Though there are a range of safeguards in put to secure details from unauthorized accessibility, UC San Diego Health is also constantly doing the job to improve them so we can more lessen the risk of this form of threat action.”

THE More substantial Development  

The lawsuit is proof that for overall health systems who are victimized by cyberattacks, the economical fallout can go past spending a ransom (a little something the feds even now recommend from) or obtaining to halt procedures.  

And UC San Diego Health just isn’t by itself. Earlier this calendar year, Scripps Health, also in San Diego, confronted a handful of fits soon after a ransomware incident led to a months-extensive community shutdown.  

ON THE History  

Menezes “suffered psychological distress knowing that her remarkably particular medical and treatment method details is now available to criminals to dedicate blackmail, extortion, medical-similar identity theft or fraud, and any range of additional harms from her for the rest of her existence,” in accordance to the criticism.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Electronic mail: [email protected]
Healthcare IT News is a HIMSS Media publication.