A UCLA Medical Center worker who sneaked into the confidential medical records of '70s TV icon Farrah Fawcett last year also improperly viewed the electronic files of 32 other celebrities, politicians and high-profile patients, including California first lady Maria Shriver, according to interviews with hospital and state officials Sunday.
The breaches expose UCLA to state sanctions and amount to a major embarrassment for one of the nation's preeminent medical centers. The UCLA employee allegedly looked up information on noncelebrity patients as well, accessing 61 patients' records without permission in 2006 and 2007, state and hospital officials said.
"We are very concerned by what appears to be a pattern of repeated violations," said Kim Belshe, secretary of the state's Health and Human Services Agency.
"It's not a question of will we take action," she added. "It's determining what level of action to take."
UCLA said it learned about the widespread breaches last May and terminated the employee the same month. Officials would not provide her name or title but said she did not work in direct patient care. Employees in such departments as billing and admitting also have access to medical record systems.
In an interview Sunday, Dr. David Feinberg, chief executive of the UCLA Hospital System, apologized for the breaches. He described the employee who snooped as "rogue."
"This person should not have been looking at those records," he said.
Based on a review of the employee's e-mails and phone calls, he said, the hospital found no evidence that the information was leaked to tabloids or otherwise was shared inappropriately.
Feinberg acknowledged that UCLA had not notified the affected patients, nor did it inform state health regulators or criminal authorities about the problems. The privacy of medical records is protected under state and federal laws, which carry such penalties as prison terms, fines or both for inappropriately accessing or selling such information.
UCLA officials initially determined that alerting authorities and the patients involved was not required, but they are reconsidering whether to notify the patients.
"As this becomes more public, that may change our minds," said Feinberg, who joined UCLA last July.
He pledged that UCLA would work closely with the state Department of Public Health in its investigations. But he also said the medical center had since last May made "great strides" in improving the security of its systems to decrease the risk of privacy violations.
UCLA would not identify others whose privacy was breached, citing patient confidentiality rules.
State regulators began investigating last month after The Times reported that the hospital was firing 13 workers and disciplining 12 others for snooping in pop star Britney Spears' records during her stay in UCLA's neuropsychiatric unit earlier this year. At the time, UCLA told the newspaper -- and state regulators -- that the Spears breach was an isolated event.
Then last week, The Times reported that a different UCLA employee had repeatedly looked at records of Fawcett, who was receiving cancer treatment at the hospital last year.
Fawcett's lawyers told the newspaper they were concerned that details about her cancer treatment may have been leaked or sold to tabloids, including the National Enquirer, because a number of sensationalized reports were printed soon after her visits there. A story under the headline "Farrah's Cancer Is Back!" was published before the actress was able to tell her son about the recurrence, her representatives said.
When asked last week if there were other recent high-profile breaches along the lines of the ones involving Spears and Fawcett, UCLA's chief compliance and privacy officer Carole A. Klove said, "Not to my knowledge." A UCLA spokeswoman said Sunday that Klove was referring only to current cases.
While looking into the breaches in Fawcett's case, a state inspector discovered the other violations Friday. The state Department of Public Health said it now has several investigations underway, and it is working with the federal government.
"UCLA assured us -- the state -- that the initial breach [of Spears' records] was an anomaly," Belshe said. "And we have since learned that, simply put, it is not anomalous."
The latest development at UCLA highlights the irony that as privacy laws have become stronger, the computerization of medical records can increase the risk of unauthorized scrutiny.
Such widespread breaches, however, appear to be rare. Computers allow UCLA and other hospitals to track which employees call up individual records.
In Spears' case, Feinberg said, UCLA was able to quickly identify trespassers and take almost immediate action against them, demonstrating that the medical center had learned from previous lapses.
Shriver and Gov. Arnold Schwarzenegger were notified Friday evening that her records had been viewed inappropriately, state officials said Sunday.
Shriver, a former contributing anchor to Dateline NBC and niece of President Kennedy, could not be reached Sunday.
In a statement, Schwarzenegger said that "a breach of any patient's medical records is outrageous" and that he had called on his administration to take action after the first incident -- Spears' case -- was reported last month.
"Patients' medical records should be private -- period," Schwarzenegger said. "No one should have to worry that an unauthorized person is reviewing their private medical records."
Kathleen Billingsley, deputy director of the state Department of Public Health's Center for Healthcare Quality, said the state learned about the Spears breach from the newspaper, not from UCLA, and was notified of the Fawcett incident only after a Times reporter asked questions of the hospital.
UCLA did not share information on the violations it had discovered the previous May until an inspector discovered the document with the names of those affected, Billingsley said.
Feinberg said his staff believed that it had to report to the state only "unusual occurrences" that related to direct patient care.
"Historically, that has meant terrible types of medical errors, etc., not somebody looking at a chart that they weren't supposed to," he said.
Belshe said her agency was reviewing whether the state needed tougher sanctions for violations of patient privacy or other tools to hold hospitals accountable.
"It is a fundamental responsibility of a health facility to provide for the health and safety of their patients and maintain the confidentiality of their medical records," Belshe said. "That is as true for John Q. Public as it is for Maria Shriver and any other individual in our state."