A proposed class action filed in California federal court on July 20 (Allen v. UCLA Health Systems Auxiliary et al., case no. 2:15-cv-05487 in the U.S. District Court for the Central District of California) alleges that the UCLA Health System Auxiliary and The Regents of the University of California (together, “UCLA Health”) failed to adequately secure the private financial and health information of 4.5 million patients receiving services at their hospitals.

The patient information was stored in an unencrypted state on a server that was accessed by cyber thieves. Generally, healthcare organizations require that data be encrypted in transit (such as email) or on mobile devices. This lawsuit takes the standard one step further and claims that private financial and health data must be encrypted even when stored on an internal server. The plaintiff accuses UCLA Health of fraud, invasion of privacy, breach of contract, negligence, and violating California laws, including the Confidentiality of Medical Information Act (“CMIA”) and California’s Unfair Competition Law, Section 17200, et seq. of the Business and Professional Code.

Although Connecticut does not have a broad confidentiality statute like the CMIA, the Connecticut Supreme Court held last year (as previously discussed here) that the HIPAA privacy standards can be used to establish the standard of care required to protect privacy and that a patient may sue a healthcare provider for negligence and emotional distress caused by an alleged violation of these standards. Thus, Connecticut hospitals and other providers would be well served to assess their security risk for unencrypted data and take appropriate proactive steps to avoid exposure for class action claims similar to those filed against UCLA Health.