Even after UCLA Medical Center warned employees that it was cracking down on unauthorized access to medical records, the privacy of a “well-known individual” was breached by two nurses and an emergency room technician who called up the patient’s computerized records in mid-April, according to a critical state report released Monday.
The California Department of Public Health also found that nearly twice as many medical center employees as had previously been reported peeked at confidential medical records at UCLA. Nearly 60 additional employees gained improper access to records between January 2004 and June 2006, the report said, bringing the total number of workers implicated in the growing scandal to 127.
Monday’s report was the fifth by the public health agency following articles in The Times this year about UCLA employees’ prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.
State regulators continue to fault the hospital for failure to take adequate steps to maintain patient confidentiality. After the April violations, the report said, one nurse was fired and the two other employees received warnings.
The latest findings detail how one employee -- a former administrative specialist who faces federal criminal charges for violating Fawcett’s privacy -- looked at the records of 939 patients “without any legitimate reason” from April 2003 to May 2007. In previous reports, the state had linked her to viewing the records of about 60 patients. She also looked at other personal information, including Social Security numbers, the state now says.
“What we’re seeing here is a clear pattern of repeated violations of patient medical records and patient confidentiality by UCLA,” said Kim Belshe, secretary of the state’s Health and Human Services Agency. “It is absolutely unacceptable.”
Kathleen Billingsley, director of the state health department’s Center for Healthcare Quality, confirmed that 127 UCLA workers have been implicated and said investigations into other breaches at the hospital continue.
“What’s startling to us is, as we get to a point where we feel we’ve addressed a specific complaint and a specific issue, we identify additional issues,” she said. “It’s very disturbing to see this.”
The hospital said it has notified all patients whose privacy was breached by the indicted woman, Lawanda Jackson, and it has updated its systems to block complete Social Security numbers from its main clinical systems. It also has initiated new training on privacy for all staff and is enhancing security in its records systems.
“We have no excuses,” Dr. David Feinberg, chief executive of the UCLA Health System, said in a statement. “UCLA should have detected the violations by Ms. Jackson years ago and should have immediately initiated the process to dismiss her.”
Feinberg said the medical center continues to investigate.
“All other employees who were found to have violated patient confidentiality during our review have been disciplined, including some who have been terminated,” he said. “On behalf of the entire leadership of the UCLA Health System, I am deeply sorry for this failure, and the personal distress these breaches may have caused.”
Of the 59 employees newly linked to the breaches, 24 still worked at UCLA when they were identified, the state said. The hospital has proposed firing seven, suspending six for two to three weeks each and providing verbal or written warnings to eight others, the latest report says. Three remain under investigation.
In part because of the breaches, Gov. Arnold Schwarzenegger has endorsed legislation that would impose penalties on hospitals and healthcare workers for breaching patient privacy.
“Californians have every right to expect their medical records to be safeguarded and protected, and I am alarmed about repeated violations of patient confidentiality and the potential harm to the citizens of this state,” Schwarzenegger said in a statement. “By putting financial penalties in place for those employees and facilities that do not follow these laws, this legislation will lead to better care for all Californians.”
Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation. Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.
The legislation also would increase penalties for hospitals found to have put patients in jeopardy of harm or death, to $100,000 from $25,000.
Officials at the California Hospital Assn. said the trade group has taken no position on the legislation but is concerned that the state not penalize hospitals for inadvertent privacy breaches. The group is also concerned that hospitals could be penalized for the actions of rogue employees even when appropriate steps had been taken to protect patient confidentiality.
But Jones said the impetus for action is clear.
“I take it at face value that health facilities do think this is important,” he said. “But at the end of the day, there are far too many intrusions of patient privacy as a result of these breaches, and it needs to be brought to a stop.”
A major finding of the state’s new report on UCLA is that Jackson was able to view the records of more than 900 people by using her supervisor’s password. In most cases, she could see patients’ Social Security numbers, addresses, health insurance and other personal information. Officials were able to connect Jackson to each case by examining her workstation, Billingsley said.
Among those were two previously unreported cases in which representatives of the celebrities complained in October and November 2004 when details of their hospitalizations appeared in the national media.
In November 2004, for instance, the New York Post reported that actress Shelley Long, best-known for her role in the TV series “Cheers,” was hospitalized at UCLA. Her manager at the time said she became ill from medication to treat back pain.
The state report does not identify Long by name but includes dates of hospitalization that match when the Post said Long was at UCLA.
In the second case, another celebrity’s representative complained to UCLA after a national newspaper “ran a front page story about [the patient’s] surgery at the facility” in October 2004. The representative also complained that he was told that the information was obtained from an “inside source at the hospital.”
In addition to Jackson, another employee looked at the second celebrity’s records in May 2005 and again in November 2005.
That employee was suspended in July 2008 after the breach was discovered.
When reached by phone Monday afternoon, Jackson said, “I don’t have any comment.”
In April, she told The Times that she was “being nosy” when she looked at celebrity records.
“I didn’t leak anything or anything like that,” she said at the time. “It wasn’t for money or anything. It was just looking.”
Jackson was indicted by a federal grand jury April 9 on a charge of obtaining individually identifiable health information for commercial advantage.
Fawcett and her lawyers allege that Jackson leaked personal information about Fawcett’s battle with cancer to the National Enquirer and other tabloids.
According to a document reviewed by The Times, the supervisor whose password Jackson used is Alice Chan. Chan, who still works at UCLA as an intensive care unit director, declined to comment.
In his statement, Feinberg said UCLA would continue to devote its attention to improving patient privacy.
“We can’t undo the wrongs of the past,” he said. “But we can and are redoubling our efforts to not only improve our training and security systems, but to create a culture where this type of behavior will not take place.”