[ISN] More tied to UCLA snooping

From: InfoSec News (alerts@private)
Date: Tue May 13 2008 - 23:06:53 PDT


By Charles Ornstein
Los Angeles Times Staff Writer
May 12, 2008

California health regulators have connected 14 more people affiliated 
with UCLA Medical Center, including four physicians, to the improper 
viewing of celebrity medical records, bringing the number of current and 
former workers apparently implicated in the snooping scandal to 68.

The additional violations came to light in a report by the California 
Department of Public Health, which was sent to the hospital Friday. The 
findings are the latest to stem from reports in The Times about UCLA 
employees' prying into records of celebrities and co-workers. The 
regulators faulted UCLA for failure to maintain patient confidentiality 
and report the breaches to regulators.

The key findings relate to the activities of Lawanda J. Jackson, a 
longtime administrative specialist who allegedly pried into the medical 
records of 61 patients, including celebrities and co-workers.

According to the new report, Jackson reviewed the records of actress 
Farrah Fawcett on 104 days between July 1, 2006, and May 21, 2007. She 
also looked at the records of pop star Britney Spears, whose medical 
files have been viewed inappropriately by dozens of other UCLA workers, 
according to the report and interviews. (Jackson is not mentioned by 
name in the records, nor are the celebrities involved, but The Times has 
confirmed their identities.)

Jackson, 49, was indicted by a federal grand jury last month for 
allegedly selling information to the news media from medical records of 
celebrity patients. If convicted, she faces up to 10 years in prison.

Jackson had been in trouble before for snooping at UCLA, according to 
the new state report. Regulators found that Jackson had received 
"written counseling" in 2005 for improperly accessing the medical 
records of a co-worker.

She remained on the job until Fawcett complained to her UCLA doctor 
about a suspected breach, shortly after the National Enquirer reported 
last May that the actress' cancer was back. Fawcett had not yet told her 
son or closest friends about the recurrence.

Jackson resigned in July from UCLA after the hospital said it intended 
to fire her for "serious misconduct" in violation of federal patient 
privacy laws.

In an interview in April, Jackson told The Times that she did not leak 
information to the tabloids and that she was just "being nosy."

The state report suggested that Jackson might have tried to hide the 
extent of her snooping. One of her co-workers recently acknowledged that 
she twice gave Jackson her password and user information, according to 
inspectors. The review found that the employee's user ID was accessed 
from Jackson's computer to look at 46 records.

State inspectors found that 13 other people affiliated with UCLA 
apparently snooped on Spears' records between July 2006 and May 2007. 
That is in addition to 53 staffers identified in three previous state 
reports who looked at Spears' records on other occasions. The 13 
included three physicians, a physician trainee, three registered nurses, 
two outside contractors, a volunteer and three support staff.

Each of the employees had signed a confidentiality agreement after being 
hired promising to access patient information "only in the performance 
of assigned duties and where required or permitted by law," the state 

UCLA apparently did not determine the extent of the inappropriate prying 
until prodded recently by the state. Last month, inspectors from the 
health department asked a hospital official whether anyone else had 
inappropriately looked at the records reviewed by Jackson, and the 
official said, "As far as I know, no one else."

Prompted by a state request to dig further, however, UCLA found the 
remaining 14 people, including Jackson's co-worker.

Kathleen Billingsley, director for the state health department's Center 
for Healthcare Quality, would not say what the state's next steps would 
be, other than to work with UCLA to fix the problems. State officials 
have previously said that they were reviewing whether they could levy 
sanctions against UCLA or if additional penalties would be needed 
through legislation.

"We believe that this sends a clear message to the healthcare community 
that the confidentiality of patient medical records must be protected," 
Billingsley said.

UCLA officials have said that they take the breaches seriously. The 
employee who gave Jackson her user ID and password has been disciplined, 
hospital spokeswoman Dale Tate said. Of the 13 who looked at Spears' 
records, seven are no longer affiliated with UCLA, and the other six are 
being reviewed.

"Because these reviews are ongoing, we cannot provide additional 
information on the specifics of the investigation and the disciplinary 
actions, if any," the hospital said in a statement.

UCLA officials have appointed a high-level committee to review privacy 
policies and have pledged to retrain staff and improve computer systems 
to increase security.

Fawcett has not commented publicly about the breaches, but in a letter 
sent April 30 to U.S. Atty. Thomas P. O'Brien, Fawcett asked that his 
office expand the scope of its criminal investigation beyond Jackson to 
include tabloid journalists.

"It is my personal belief that what Lawanda Jackson is most guilty of is 
being a pawn," Fawcett wrote. "She worked in a hospital system that did 
not provide strong enough deterrents to stop their employees from 
breaching their patient's medical records -- which made it all the 
easier for the tabloids to financially induce . . . her to invade my 
privacy as well as the privacy of others."

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Tue May 13 2008 - 23:11:52 PDT