A jury declined to hold UCLA Health System liable for emotional harm caused by the breach of a patient’s medical records. The plaintiff sought $1.25 million in damages. The plaintiff alleged she became depressed after UCLA failed to adequately protect her health information from a romantic rival’s unauthorized access. The rival, an employee of a UCLA-affiliated doctor, used the doctor’s log-in credentials to access the plaintiff’s records on the UCLA system. The doctor, who shared his log-in information in violation of  UCLA policy, separately settled with the plaintiff.

The plaintiff contended that UCLA’s safeguards were inadequate in part because it failed to automatically implement a second layer of protection to prevent unauthorized access. UCLA pointed out that this was not industry practice and that the protection is available to patients upon request. This “break-the-glass” authentication requires staff to re-enter their passwords and cite a reason for viewing a particular patient record. The jury found UCLA did not cause the unauthorized access and therefore was not liable for the plaintiff’s emotional harm.

TIP: To help protect themselves from civil liability for an employee’s unauthorized access, health systems should have policies and training mechanisms in place to educate employees and should take swift action to sanction violators.