ProPublica

Journalism in the Public Interest

Cancel

UCLA Health System Pays $865,000 to Settle Celebrity Privacy Allegations

Alleged breaches of patient privacy at UCLA involving entertainers like Farrah Fawcett, Michael Jackson, Britney Spears and others and have been a source of embarrassment for the health system for several years. UCLA said it has taken steps to improve protection of patient privacy rights.

.

Georgina Verdugo, director of the HHS Office for Civil Rights

UCLA Health System in Los Angeles has agreed to pay the federal government $865,000 to resolve allegations that its employees violated federal patient privacy laws by snooping in the medical records of two celebrity patients.

According to the U.S. Department of Health and Human Services, between 2005 and 2008, unauthorized UCLA employees repeatedly looked at the electronic files of numerous other patients, as well.

“Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law,” said Georgina Verdugo, director of the HHS Office for Civil Rights, in a statement.

Breaches of patient privacy at UCLA have been a source of embarrassment for the health system for several years. In 2009, we reported how Farrah Fawcett set up a sting operation to prove to UCLA that one of its employees was leaking information about her cancer to the National Enquirer. In an exclusive interview, Fawcett criticized UCLA for failing to protect her medical records from nosy employees.

"It's much easier to go through something and deal with it without being under a microscope," she said. "It was stressful. I was terrified of getting the chemo. It's not pleasant. And the radiation is not pleasant."

Fawcett, who died in June 2009, was not the only one whose records were inappropriately accessed by UCLA employees. Other celebrities included pop star Britney Spears and former California First Lady Maria Shriver. Their ordeal prompted the California Legislature to pass a law allowing fines against hospitals that do not protect patient privacy.

In May 2009, we reported that Kaiser Permanente’s Bellflower hospital was fined $250,000 for failing to protect the privacy of Nadya Suleman, mother of the octuplets. UCLA also was fined $95,000 last year by the state health department for similar breaches involving pop singer Michael Jackson’s death.

Separately, in January 2010, a former UCLA employee pleaded guilty to four counts of illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients. Huping Zhou was sentenced to four months in federal prison in April 2010.

The agreement with HHS requires UCLA to conduct regular trainings for all health-system employees who have access to patient records, to sanction employees who break the rules and to designate an independent monitor who will assess its compliance over the next three years.

In a statement, UCLA said it has worked “diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities.”

"Our patients' health, privacy and well-being are of paramount importance to us," said Dr. David T. Feinberg, CEO of the UCLA Hospital System and associate vice chancellor for health sciences, in the statement. "We remain vigilant and proactive to ensure that our patients' rights continue to be protected at all times."

Since 2003, when HHS began enforcing the privacy provisions of the Health Insurance Portability and Accountability Act, it has received 61,333 complaints. Of those, 20,877 have been investigated and 13,745 resulted in corrective actions of some kind.

Only a handful have resulted in monetary settlements or fines. The largest fine was issued earlier this year against Cignet Health of Prince George’s County, Md. It was fined $4.3 million for violating 41 patients’ rights by denying them access to their medical records. Other large settlements have included CVS Pharmacy Inc. and Rite Aid Corp., both of which were accused of disposing of patient records and identifying information in unsecured dumpsters and trash cans.

Deborah C. Peel, MD

July 7, 2011, 8:33 p.m.

HHS penalties did not include protecting the privacy of the millions pf patients seen at UCLA between 2005 and 2009——perhaps of UCLA had been required to search and discover exactly how many times patient data was viewed and potentially copied and sold, then we could have some idea if the fine was high enough.

Studies by FairWarning when installing systems to improve hospital data security found that every hospital experienced 24-129 breaches per month or 188-1,560 breaches per year. So it is very likely that extremely large numbers of patients’ records were snooped in or worse. See: “Steady Bleed, State of HealthCare Data Breaches” at http://mobile.informationweek.com/10244/show/079a02715f11b8c2fae15b3ba4cc3c9b&t=56a8c58013ae1cabb002c406786b9466

The penalties should have included at the very least credit monitoring for the millions of people UCLA admitted during those 4 years. In light of UCLA’s callous disregard for patient privacy for many years, the fine seems extremely low.

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights
http://www.patientprivacyrights.org

No doubt the fine is a slap on the wrist for UCLA. Unbelieveable.

I would have expected somebody there to be a snoop-it is, after all, Los Angeles. What I would have HOPED-and what obviously did not happen-was that someone would have set up much better privacy guards in the first place. Obviously, either I am still naive enough to believe in the decency of mankind or there was somebody at the outset who already saw the opportunity for profit in having this information “bank” available to them. I suspect the latter strongly.

People are snoops. My own family members are snoops. If I don’t lock things up (and sometimes even if I do), they’re into it. My mom used to complain that I locked my diary. “Why would you want to keep me out of your diary? Are you saying things about me?”  The phenomenon is pervasive. We can’t stay out of other people’s business even when we are told to do so.

Telling people to stay out isn’t enough. Probably the only way to make people stay out is to make it so painful to stick their nozzes into the files that they have permanent negative aversion. Although-for some folks-I’m not sure exactly how much negative stimulus that would have to be…...

I like the idea of credit monitoring, Dr. Peel. I think you’re onto something there in LA. The rest of the country-not so much. Mostly-they just want the “dirt”. It’s usually employees and they need to be kicked to the curb. Fast!

What do people expect with so much corruption in the medical industry.  We have Dollars for Docs (Legal Drug Dealing).  Thousands of unecessary surgeries, church involvement (they own many hospitals).  Numerous Medicaid and Medicare fraud.  Erroneous billing.  A Pharmaceutical company that actually had a hand in running a concentration camp during WW II (IG Farben, now known as Bayer).  Who knows how many people now addicted to medication/drugs in this country and others.  The Eugenics experiment in this country and others.  Made up Syndromes to sell more drugs.  Psychiatry, a disgusting tradition unto itself.  This type of stuff doesn’t surprise me a bit.  I know a few people who work in hospitals, I wouldn’t trust them as far as I could throw them.  Best course of action, stay away from hospitals, they are all sick and dirty.  Personally, I think the worst thing in the world today is the supposed healthcare our society recieves, when you total up the deaths (don’t forget Hitler was drugged by his doctor, 50-70 million deaths later…), you can see a clear picture of what healthcare has to offer.

Mike, you are clearly a believer in the canon of the Scientology Cult. Your tangential rant makes little sense. To imply that Hitler is a victim of anything, much less a doctor, shows that you have never read a history book. His beliefs and plans are clearly documented, by him, in a little book called “Mein Kampf”, which, ironically translates into “My Plan”. As for everyone else that you dislike, including but not limited to your family, the health industry, psychiatry, and hospitals, makes me believe that you’ve had some bad experiences and have generalized your belief system to explain them. For that, I’m sorry, but do some fact checking.

UCLA (University of California, Los Angeles) is a California state university, correct?  So fines levied against UCLA by the federal government are ultimately paid by the California state government… which means the fines are paid by California taxpayers.  Is that reasonable?

Well, sure… about as reasonable as fines being paid by banks, out of funds supported by depositors and/or investors money.

Why not hold everyone involved personally responsible?  Why continue to allow (and thereby encourage) fine-paying by organizations on behalf of employees who break the law? 

The rationale, I’m sure, is that this will force organizations to police themselves.  Either that, or it will force the “leaders” of these same organizations to conduct cost/benefit analyses to discover whether it will be more of a risk to themselves personally to allow the organizations to continue to take responsibility for the actions of a few bad actors, or for the few bad actors to be held personally liable. 

Seems like they’ve already done that, though.  Because, how many executives actually pay fines and/or go to jail?  ‘nuf said.

It truly baffles me why anyone is concerned about this “small” incursion on our privacy, when the Fourth Amendment, which was supposed to remind the gummint we created waaay back when, that We the People retained, vis-a-vis this new gummint, the right to be free from unreasonable searches of our persons, places and things—and to get over that hurdle, to “demonstrate reasonableness,” if you will, a warrant had to be issued, sworn to under oath, as to the very particular persons, places and things to be searched and/or seized, has been repealed, in fact and in law (de facto and de jure).

    How?  The Usapat Riot Act (aka U.S.A.P.A.T.R.I.O.T. Act) dropped the requirement of a warrant. Why? ‘Cuz we wuz “attacked” on 9/11/2001. But that’s never been proven in a court of law or by an independent investigation by an independent prosecutor with the level of funding required to bring on the investigation and inevitable prosecutions.

  How else? Well, since Jan or Feb of 2002, the National Surveillance Agency (NSA) has installed, secretly, sort of, using “National unSecurity Letters” and brow-beating, computers (called “splitter boxes”) astride the trunk lines of all US telecommunications companies. That’s 2002, or about one decade ago.

  These computers copy every single binary digit—bit—of information that travels over these communications lines, and ships the copies off to disk farms (data centers, Cloud Cuckoo Computerland—see the pictures of Apple Computer’s new $1 Billion facility in Maiden, NC on the Apple web site (the last few minutes of Steve’s June presentation to the Apple World Wide Developers’ Convention, and on YouTube)).

  According to James Bamford and Jane Mayer, these data centers are in Texas and, a new one, in Utah.

  What’s it mean? That every phone call, cell phone call, Skype Internet call, every Instant Message, every Tweet, every email, every record that has been converted to digital information, that uses the telecom fibers or wires going outside its buildings, is copied and “mined” for information. I’m assuming that even “virtual private networks” are accessed by the NSA, as they use the same “infrastructure” (fiber & wire cables and cell towers, etc.).

  Even “private” networks that don’t go out of a physical private network can be and probably are copied by electrical induction or something more modern. Remember those little things with a suction cup you could attach to the receiver of your phone and tape your telephone conversations, without having to re-wire the telephone’s innards? That’s induction at work.

  I suppose the only antidote for this incredible gummint lust for spying on its bosses, its management, that is, We the People, is to make the National Surveillance Agency’s system and database completely public. Put webcams and microphones in every federal, state and local office, everywhere in the House, Senate, White House, Pentagon, Justice Department.

  As the NSA can now do, type in someone’s name, and bring up all of the information stored (perhaps erroneously—nothing’s perfect, right?) on the named person, the country’s management (that would be us, the US citizens) could type in, say, George W. Bush, and pull up all of his email, financial records (including IRS filings, SEC filings, etc.), all of his conversations. Same thing with Dick Cheney (that’s obviously a no-brainer to want to get at his data, conversations, the secret “Energy Committee” that was parcelling out the Iraq oilfields back in Jan/Feb of 2001. And of course, all tape-recordings done in the White House, a la the Nixon Tapes.

  And of course, we’d want to be able to type in David Rockefeller, Lloyd Blankfein, Jamie Dimon, George Soros, the Koch Bro., Obama, Clinton, Boehner, Pelosi, McConnell, etc., and take a gander at all their information.

  Otherwise, the gummint, whether under Republicrat of Demican dominion, will continue to usurp the so-called “power of the people,” arrogate unto itself the rights/powers to do anything and everything it chooses. Just as the CIA recognizes no law outside the United States (and it hardly bothers with US laws, either, as we’ve seen with assassinations, break-ins, torture, kidnapping, collateral murder), our gummint says it can start wars without a declaration of war from the Congress, can imprison people for years without filing charges or allowing them to challenge their imprisonment with a Writ of Habeas Corpus, which was pretty much in good standing since, I think maybe 1066 Common Era. But no longer in America, despite its inclusion in Article I of the Constitution.

  Long story short: Privacy of health records is tiddly-winks. Until we all get access to the National Surveillance Agency’s gigundous database it has on all of us, we’ve been “had,” as they say. Our goose has long ago been killed, plucked, cooked…and eaten. Perhaps our only remaining hope? Not yet digested.