A California court on Thursday found the University of California Los Angeles Health System was not responsible for the unauthorized release of a woman’s medical record to a romantic rival.
The decision absolves the hospital from the $1.25 million the plaintiff sought for emotional distress and invasion of privacy.
Norma Lozano’s complaint alleges that in 2012, a temporary worker in a physician’s office affiliated with UCLA used a doctor’s password and user ID to access Lozano’s medical record, then texted photos of her medical information to others, including Lozano’s former boyfriend.
Lozano accused UCLA of not doing enough to prevent unauthorized access of her medical records, including enabling a second form of security before the breach occurred.
The hospital claimed that it should not be held responsible for the misconduct.
The question of company liability for inside-job data breaches is still being debated by courts.
Speculation that the hack of infidelity site Ashley Madison was performed by a disgruntled employee has raised the question of whether the company’s security policies can be considered “proximate cause,” or an event legally considered to have led to the breach.
“Ashley Madison was probably going to be a target either way, whether their security was lax or not,” Kristine Devine, a communications attorney with Harris, Wiltshire & Grannis, told The Hill.
The second layer of security that Lozano claimed should have been in place, called “break the glass,” may not have prevented the breach. It requires users of UCLA’s electronic medical record system to enter their password twice, as well as providing a reason for viewing the record.
In December of 2014, University Hospitals in Cleveland had to notify 692 patients that an employee had snooped through their data.