UCLA On Celebrity Health Records: We Have No Excuses
As part of our ongoing internal investigation, UCLA Health System did a comprehensive review of patient confidentiality breaches dating back several years and found additional violations. We discovered that former employee, Lawanda Jackson, looked at dozens of high profile patient records, from 2003-2007. In addition, we determined that Ms. Jackson accessed personal information, including addresses, phone and Social Security Numbers (SSN) of more than 1000 patients. Ms. Jackson was never disciplined for these earlier breaches. In May 2008, when we confirmed the breach to personal information, including SSNs, we immediately notified the California Department of Public Health, as well as the U.S. Attorney’s office. And, in accordance with California law, we notified all individuals who had their confidential personal information accessed. Our systems have been enhanced so that they now block complete SSNs from our main clinical systems.
“We have no excuses. UCLA should have detected the violations by Ms. Jackson years ago, and should have immediately initiated the process to dismiss her. All other employees who were found to have violated patient confidentiality during our review have been disciplined, including some who have been terminated. On behalf of the entire leadership of the UCLA Health System I am deeply sorry for this failure, and the personal distress these breaches may have caused,” said Dr. David T. Feinberg, CEO, and interim associate vice chancellor UCLA Hospital System.
“We are focused on two things now – one looking backward, the other forward. First, we continue our internal investigation to make sure we have uncovered any and all violations of patient records. We are working with DPH and the federal authorities toward to this goal.
“Second, starting May 19, 2008 we implemented a new training and certification module for the Health Insurance Portability and Accountability Act (HIPAA). All doctors, staff, and students must complete certification by August 18. As of today, 98 percent have complied. In addition, on May 26, 2008 a new clinical information system became operational. This system will provide an enhanced level of restricted access based on user authentication and role, where a reason for access may be requested and required before access is provided. We also have more than doubled the number of individuals who we proactively audit to ensure their privacy is maintained.
“We can’t undo the wrongs of the past. But we can and are redoubling our efforts to not only improve our training and security systems, but to create a culture where this type of behavior will not take place,” Dr. Feinberg stated.