“It Was Just Me Being Nosy,” Claims Snooping Employee in UCLA Medical Privacy Breach
By Privacy Maven | April 9, 2008
The employee at the center of the UCLA Medical Center medical privacy breach scandal, claims nosiness as her motive. That’s somewhat akin to a security guard caught sleeping, saying, “That was just me taking a nap.” Although UCLA would not release her name, the LA Times found her and interviewed her.
The UCLA Medical Center employee who allegedly pried into the private medical records of the governor’s wife and 60 others in a burgeoning scandal was a low-ranking administrative specialist who told The Times on Tuesday that “it was just me being nosy.”
“Clearly I made a mistake; let’s put it like that,” Lawanda J. Jackson, 49, said when asked in a telephone interview why she improperly looked at the records of so many patients, including California First Lady Maria Shriver and actress Farrah Fawcett.
“I didn’t leak anything or anything like that,” said Jackson, who had worked at the hospital since she was 16. “It wasn’t for money or anything. It was just looking.”
UCLA took steps last May to fire Jackson after determining that she had inappropriately accessed dozens of electronic medical records, UCLA officials say. But the employee resigned in July before she could be fired, spokeswoman Roxanne Moster said. (Previously, the hospital told The Times that it had fired Jackson.)
Neither UCLA nor state health officials have confirmed Jackson’s identity, but The Times was able to verify it.
The breaches have triggered several state investigations and created a major embarrassment for UCLA. The hospital could face serious sanctions from the California Department of Public Health, and Jackson could face criminal charges for allegedly violating a federal privacy law.
Although such charges are uncommon, federal prosecutors in Los Angeles have launched a preliminary inquiry into the matter, a source in the U.S. attorney’s office said Tuesday.
“We’re certainly interested and we’re looking into it,” said the source, who asked not to be named because he was not authorized to speak publicly about the case.
Among the 61 patients whose records Jackson allegedly viewed in 2006 and 2007 were 33 celebrities, politicians and other well-known people, state officials have said.
UCLA’s ability to keep patients’ information private has been at issue since The Times reported last month that the university was trying to fire 13 workers and was disciplining 12 others for peeking into the records of pop star Britney Spears, who was hospitalized in its neuropsychiatric unit in January. (More.)
Britney Spears
As the LA Times article goes on to point out, it may not be as simple as one nosy employee. In an earlier story, the LA Times discussed other celebrity medical privacy breaches at UCLA.
When asked last week if there were other recent high-profile breaches along the lines of the ones involving Spears and Fawcett, UCLA’s chief compliance and privacy officer Carole A. Klove said, “Not to my knowledge.” A UCLA spokeswoman said Sunday that Klove was referring only to current cases.
While looking into the breaches in Fawcett’s case, a state inspector discovered the other violations Friday. The state Department of Public Health said it now has several investigations underway, and it is working with the federal government.
“UCLA assured us — the state — that the initial breach [of Spears’ records] was an anomaly,” Belshé said. “And we have since learned that, simply put, it is not anomalous.”
The latest development at UCLA highlights the irony that as privacy laws have become stronger, the computerization of medical records can increase the risk of unauthorized scrutiny.
Such widespread breaches, however, appear to be rare. Computers allow UCLA and other hospitals to track which employees call up individual records.In Spears’ case, Feinberg said, UCLA was able to quickly identify trespassers and take almost immediate action against them, demonstrating that the medical center had learned from previous lapses.
Shriver and Gov. Arnold Schwarzenegger were notified Friday evening that her records had been viewed inappropriately, state officials said Sunday.
Shriver, a former contributing anchor to Dateline NBC and niece of President Kennedy, could not be reached Sunday.
In a statement, Schwarzenegger said that “a breach of any patient’s medical records is outrageous” and that he had called on his administration to take action after the first incident — Spears’ case — was reported last month.
“Patients’ medical records should be private — period,” Schwarzenegger said. “No one should have to worry that an unauthorized person is reviewing their private medical records.” (More.)
California Governor Arnold-Schwarzenegger and First Lady Maria Shriver
The problem is not lack of laws, but lack of enforcement.
When Congress passed a federal medical privacy law more than a decade ago, it was hailed as a new level of protection for patients nationwide. But even though the government has received about 34,000 complaints of privacy violations since it officially began enforcing the law five years ago, only a handful of defendants have been criminally prosecuted.
The half a dozen or so cases mainly involved clerical workers who pilfered patient information, using it to open credit card accounts or selling it to crooks who tried to bilk Medicare and the Internal Revenue Service.
Moreover, although the federal Health and Human Services Department has the authority to levy civil fines on medical service providers for privacy violations, it has yet to do so.
The recent revelation of snooping by UCLA Medical Center employees into the files of Britney Spears, Farrah Fawcett, California first lady Maria Shriver and dozens of other patients, however, may force a second look at the federal law, widely known as HIPAA, the Health Insurance Portability and Accountability Act of 1996.
Critics say the government’s approach — which focuses on getting providers to correct violations — may be too lenient, particularly at a time when medical records are increasingly being shifted from file folders to computers. In addition, a Justice Department legal opinion has stated that the law applies primarily to organizations — hospitals, health insurance plans and doctors’ offices — and only secondarily to individuals such as the low-level clerks most often implicated in information theft.
“If you are punishing the [organization] but not the person who actually did the dirty deed, then we are missing the boat,” said Doreen Z. McQuarrie, a Houston lawyer who specializes in healthcare issues and has studied the federal law.
The law was supposed to have had its greatest impact behind the scenes, ushering in a new era of sensitivity to patient privacy in the healthcare industry. But skeptics say that has not been the case.
“What the rules were supposed to do was regulate one of the most common conversations we have: ‘How are you?’ ” said Dennis Melamed, editor of the Health Information Privacy/Security Alert, which tracks the law and its enforcement. “They did it with an incomplete set of instructions, and when you are talking about an industry as huge as healthcare, that gets to be pretty difficult.” (More.)
In the final analysis, something needs to be done besides officials making the usual apologetic, hand wringing statements after the fact. To learn more about U.S. medical privacy laws and what you can do to protect yourself, see the following resources.
- EPIC Medical Privacy Resource Page
- Office for Civil Rights - HIPAA
Topics: Public Figures and Privacy, Medical Privacy | No Comments »
More Snooping at UCLA: Farrah Fawcett’s Medical Privacy Breached
By Privacy Maven | April 4, 2008
Farrah Fawcett’s medical privacy has been breached at UCLA Medical Center. Details of her cancer treatments and speculations about her state of mind that were published in The National Enquirer were derived from the sale of this information, making this case especially egregious and painful for Fawcett. As the LA Times reports.
Months before UCLA Medical Center caught staffers snooping in the medical records of pop star Britney Spears, ’70s TV icon Farrah Fawcett learned that a hospital employee had surreptitiously gone through records of her cancer treatments there, documents and interviews show.
Fawcett’s lawyers said they are concerned that the information may have been subsequently leaked or sold to tabloids, including the National Enquirer.
Shortly after UCLA doctors told Fawcett that her cancer had returned — and before she had told her son and closest friends — the Enquirer posted the news on its website. Indeed, alarming headlines regularly cropped up in the Enquirer and its sister publication, the Globe, within days of Fawcett’s treatments at UCLA.
UCLA terminated the employee who inappropriately reviewed Fawcett’s records, according to a person familiar with the matter who spoke on condition of anonymity.
This was the second time that Fawcett’s privacy had been breached at UCLA. In a 2006 letter, one of her physicians, Gary Gitnick, informed Fawcett that a former hospital contractor had listed her name on his blog, “suggesting you are a patient and/or charitable donor of mine and UCLA.”
As Fawcett, now 61, was being treated at UCLA, officials had been monitoring access to some records to guard against a privacy breach — and found none, said Carole A. Klove, chief compliance and privacy officer for UCLA’s health system.
But after the Enquirer ran its exclusive story, “Farrah’s Cancer Is Back!,” last May, Fawcett complained to another of her doctors, Eric Esrailian, and UCLA launched an investigation and looked at additional records systems. The hospital then discovered “multiple reviews” of her records by a worker who was not involved in Fawcett’s treatment, Klove said.
Klove said the hospital found no evidence that the worker had either disclosed or sold the information she acquired. Klove would not identify the worker involved, citing privacy rules.
[…]
Fawcett, who appeared in the 1970s television series “Charlie’s Angels,” the TV movie “The Burning Bed” and a bestselling swimsuit poster, declined to comment.
Associates say the latest breach has left her shaken. She plans to meet with Dr. David Feinberg, chief executive of the UCLA Hospital System, but the meeting has been postponed several times and is being rescheduled.
“She’s been invaded — and these are the people who she entrusted her life to,” said Craig J. Nevius, who is producing the upcoming documentary “A Wing and a Prayer,” which chronicles Fawcett’s battle with anal cancer and her efforts to protect her privacy.
One of Fawcett’s lawyers, Kim Swartz, said his client was reluctant to sue over the leaked information, but added, “This is such an ugly situation.
“This has been very hard for her,” Swartz said. “Not knowing who has her personal information has taken an incredible toll on her.” (More.)
Farrah Fawcett publicly revealed her battle with cancer in 2006. This case further underscores the need and importance to guard everyone’s medical privacy.
Topics: Public Figures and Privacy, Medical Privacy | No Comments »
YouTube Awards Bypass Britney’s No. 1 Privacy Advocate
By Privacy Maven | March 21, 2008
Chris Crocker’s “Leave Britney Alone!” receiving tens of millions of views and inspiring thousands of imitators and satirists seemed a sure bet for a YouTube award. As viral as the video was, we would like to think that the concept of privacy and respect for an individual’s dignity and sanctity — even if he/she is a celebrity! — went viral, too. The Guardian also took note of this and other glaring omissions in the list of YouTube Award winners.
Imagine an Oscars ceremony where the biggest stars go home empty-handed. That’s what happened today at YouTube’s second annual video awards, as Obama Girl, the Don’t Tase Me, Bro student, and other stars of viral video got nominated but lost to unlikely newcomers.
In the politics category Amber Lee Ettinger, aka Obama Girl — who became a household name thanks to her sexy clip declaring “I’ve got a crush” on the presidential candidate — lost to a far grittier video supporting Middle East peace talks, put together by global activist group Avaaz.org.
The eyewitness category, devoted to user videos of live events, pitted the famous plea of a college student before police subdued him with a Taser against gripping footage of protesting monks in Burma and wildfires in California.
But the winner was Battle at Kruger, a vivid clip of lions and buffalo fighting to the death shot by a holidaymaker on safari in South Africa.
You can watch all of the 2007 YouTube Award nominees and winners here.
Along with the Chris Crocker “Leave Britney Alone!” privacy advocacy…..
…we appreciated the worldwide impact of the Gainesville Sun’s video of Andrew Meyer, “Don’t Tase Me Bro,” in bringing attention to the cavalier and irresponsible user of Tasers which we have discussed earlier.
Two more of our favorites, both in the Politics category, did not win. We appreciated the lessons imparted in the Mike Huckabee/Chuck Norris video, “HuckChuckFacts” …..
….and “Congressman Ron Paul Visits My Dorm Room”
Topics: Public Figures and Privacy, Social Networking | No Comments »
Nonpartisan Snooping? Passport Breach Hits All 3 Presidential Candidates
By Privacy Maven | March 21, 2008
What’s a Presidential candidate to do, other than issue statements and demand investigations?
The State Department said on Friday that it was investigating several incidents in which the passport files of all three presidential contenders were improperly accessed by employees.
The breaches involved electronic files that contained personal information about Senators Barack Obama, Hillary Rodham Clinton and John McCain. A State Department spokesman declined to say what was in those files, but he said they were likely to contain biographical information and passport applications.
Mr. Obama’s passport file was breached on three separate occasions earlier this year and as recently as last week, by three employees working for independent contractors who did not have authorization to access the information. The breaches occurred on Jan. 9, Feb. 21, and March 14, according to The Associated Press.
The State Department’s computer system had flagged each incident, but senior department officials were not informed until they looked into the matter, after receiving inquiries from a reporter on Thursday, a department spokesman said. “That information didn’t rise up to senior management levels,” the spokesman, Sean McCormack, said at a Friday news conference. “That should have happened.”
Two of the employees were fired, Mr. McCormack said. The Associated Press reported that they had worked for Stanley, Inc., a company that provides administrative support and services to government groups and is based in Arlington, Va. Stanley signed a five-year, $570 million contract with the State Department earlier this week to work on the department’s passport database.
The third employee also accessed Mr. McCain’s file, but was only reprimanded and remains employed.
More updates here and here. Watch several news reports here.
Topics: Public Figures and Privacy, Data Breaches | No Comments »
Obama Passport Breach: Rice Apologizes for “Imprudent Curiosity” of Her Staff
By Privacy Maven | March 21, 2008
The State Dept. called it “imprudent curiosity.” The Obama campaign called it “an outrageous breach of security and privacy.” Caught between adjectival phrases, Secretary of State Rice apologized to Senator Barack Obama.
More coverage at Hot Air. As the Washington Post reports,
Two State Department employees were fired and a third has been disciplined for improperly accessing Sen. Barack Obama’s passport file, the State Department announced last night.
Senior department officials said they learned of the incidents only when a reporter made an inquiry yesterday afternoon. They said an initial investigation indicated that the employees — all of whom worked on contract — were motivated by “imprudent curiosity.”
Bill Burton, spokesman for Obama’s presidential campaign, called the incidents “an outrageous breach of security and privacy.” He said this is “a serious matter that merits a complete investigation,” adding that the campaign will “demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”
Undersecretary of State Patrick F. Kennedy, in a hastily arranged conference call with reporters, said he asked the State Department inspector general to open an inquiry into the matter and acknowledged that it might need to be expanded.
He also said he would brief Obama, who is locked in a tight race for the Democratic presidential nomination with Sen. Hillary Rodham Clinton, today on the matter.
Kennedy said that he did not know yet whether any laws were broken or whether the employees shared the information with others. He said that the incidents, which occurred at three offices, on Jan. 9, Feb. 21 and March 14, should have been “passed up the line” much sooner and that officials were seeking to determine why they had not been disclosed earlier.
Secretary of State Condoleezza Rice, who was briefed yesterday afternoon, requested a “full investigation,” department spokesman Sean McCormack said.
Topics: Public Figures and Privacy, Data Breaches | No Comments »