U of California San Diego failed to notify HIV-positive study patients of data breach, investigation finds

Mackenzie Garrity - Print  | 

University of California San Diego delayed notifying women in an HIV research study that their information may have been exposed in October, an inewsource investigation discovered.

The EmPower Women study comprised 24 HIV-positive patients who were being evaluated on why they avoided treatment. The lead researcher told university officials in October that the women's names, audio-taped conversations and other sensitive data was accessible by employees at a partnered nonprofit organization.

UC San Diego partnered with Christie's Place, a San Diego nonprofit that supports women with HIV and AIDS, to recruit women for the study. The nonprofit organization allegedly stored the study participants' information on a database it uses to track patients' clinical care.

The nonprofit was accused of intentionally storing the data on the clinical care database to "inflate" their patient numbers. By storing the information on that specific database, Christie's Place staff, interns and volunteers had access to the study participants' information. Patients' information was supposed to be password-protected and only accessible to authorized researchers.

After an internal investigation, Christie's Place board of director's president said the allegations were false. "Christie's Place did not misuse client data, did not breach client data to inflate patient numbers, did not misrepresent the services we provided, and did not improperly bill the county of San Diego," she said in a statement to inewsource

Once Jamila Stockman, the lead researcher, became aware of the security breach, she went to university officials. It was then that Ms. Stockman claims she was met with resistance to alert study participants of the data breach.

After seven months of back and forth through emails and meetings, university officials agreed earlier this month to inform study participants of the breach. The process will begin in one to three weeks, university officials said.

The EmPower Women project was funded by the UC system, meaning federal agencies could not monitor or enforce how UC San Diego handled the security breach.

More articles on cybersecurity:

Oregon State Hospital alerts patients of phishing attack
Memorial Hermann employee 'improperly' used patients' credit card info
First cybercrime hotline unveiled in Rhode Island

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.