Though UCLA Medical Center has portrayed recent privacy breaches as the rare actions of rogue employees, the hospital has known since at least 1995 that staffers were peeking into the medical records of such prominent patients as Tom Cruise and Mariah Carey -- and even spying on one another’s medical care, according to records and interviews.
James Duckstad, a former hospital assistant at UCLA, told The Times that he was one of a group of workers fired in 1995 after improperly looking at the computerized medical records of colleagues as well as celebrities including Cruise and Dom DeLuise.
“People knew that we were looking up celebrities and other patients,” said Duckstad, 41. “It was news throughout the whole hospital that employees were fired for screwing around in the computer. This was in 1995, and here we are 13 years later -- and either they didn’t follow the policy or people didn’t take it that seriously.”
Duckstad, now a swimming instructor, said he never sold the information to tabloids or otherwise shared what he learned. He said his motive was “just boredom” on the night shift.
The snooping continued.
In 2001, while pop star Carey was a patient in UCLA’s psychiatric unit, a nurse looked in her records, asked her for an autograph and showed it to teenage patients, according to one of her former colleagues, who spoke on condition of anonymity. The nurse was terminated, said the source and another person familiar with the matter.
Hospital employees also were caught looking at the records of former Beatle George Harrison, who received chemotherapy at UCLA and died in 2001, and John Phillips, a co-founder of the band the Mamas and the Papas, who died the same year, according to a former senior UCLA official, who also spoke on condition of anonymity. The official did not know what happened to the workers.
“I knew there were internal leaks inside the hospital,” the official said. “I knew there were people who were being paid [by tabloids] to look through records.”
The stakes for hospitals grew in 2003 when a federal law, the Health Insurance Portability and Accountability Act, put in place criminal and civil sanctions for breaches of patient confidentiality.
But the Coalition of University Employees complained in 2004 that two supervisors charged with training staffers about the privacy law were surreptitiously digging into their subordinates’ UCLA medical records.
When pediatrics administrative assistant James Tenney returned from a personal leave in 2003, he said his boss asked questions about his health that made him suspect she had looked at his records.
Tenney said he asked for a printout of anyone who looked at them and found the names of his supervisor, Cristina Becerra, and Dr. Alfred Pennisi, the medical director of the UCLA Children’s Health Center. In a flier issued at the time, the union said both supervisors were responsible for training employees about the 2003 privacy law.
A confidential letter from a UCLA official to the union in August 2004 acknowledged that the medical center compliance office “concluded that Mr. Tenney’s private medical records had indeed been improperly accessed by his supervisor and a faculty physician.”
“I feel violated,” Tenney said Thursday, adding that UCLA never apologized.
Meanwhile, he said, his supervisor remained on the job for more than a year after his initial complaint. Pennisi is still on staff, now as interim division chief for general pediatrics.
Through a UCLA spokeswoman, Pennisi declined to comment. Becerra, who stopped working for UCLA in March 2005, also declined to comment.
When Tenney told his colleagues what happened to him, they too asked to see who had viewed their UCLA records, said Fernando Martinez, an administrative assistant at UCLA. They found that the supervisors had also looked at their records, he said.
“There’s just no level of security,” he said. “No one takes it seriously enough.”
Dr. David Feinberg, chief executive of the UCLA Hospital System, said he had no excuses for previous breaches.
“You have to believe me when I say we’re taking this extremely seriously,” he said. “If we failed in the past, we will do everything we can to improve our systems. I think it’s more than just an [information technology] fix. I think it’s a cultural change.”
The California Department of Public Health has been investigating UCLA since March, when The Times reported that the hospital was firing 13 workers and disciplining 12 others for snooping on pop star Britney Spears.
Since then, the newspaper has reported that a different worker inappropriately accessed the electronic records of 61 patients, including actress Farrah Fawcett and California first lady Maria Shriver.
Fawcett’s lawyers believe that the UCLA worker, administrative specialist Lawanda J. Jackson, might have leaked or sold the information to tabloids, including the National Enquirer. The Enquirer reported that Fawcett’s cancer had returned last May before she had a chance to tell her son and closest friends.
Jackson resigned in July after UCLA initiated action to fire her. She told The Times this week that her motive was personal curiosity but declined to say whether she spoke with the Enquirer.
It appears that UCLA has not gone as far as a major competitor -- Cedars-Sinai Medical Center -- in providing extra security for the files of high-profile patients.
UCLA officials said this week that every day they audit the medical records of 72 high-profile people who have been patients to monitor which employees view them. Cedars-Sinai reviews 10 times as many.
Only certain employees can access the records at Cedars-Sinai, and if an unauthorized user so much as attempts to get in, he or she can be fired.
Cedars-Sinai spokesman Richard Elbaum said the hospital also uses real-time alerts to signal inappropriate access of certain medical records. And the records of high-profile patients have a special on-screen warning that reads, “This patient record is restricted. All accesses are logged and audited. Inappropriate accesses are grounds for disciplinary action and/or dismissal.”
In addition, the hospital takes extra precautions to protect the privacy of employees who are patients, Elbaum said.
UCLA spokeswoman Roxanne Moster said some of the computer systems at UCLA require users to state the role they play in a patient’s care. Others provide a warning that inappropriate access will be tracked and investigated. But some of the hospital’s systems don’t include warnings. A new system to be unveiled in the next few months will ask all users their reason for accessing specific patient records.
“Any breach, whether it’s a movie star, a politician, a patient employee or any patient that comes to us is extremely disturbing,” UCLA’s Feinberg said. “We need to get down to the bottom of it.”