Issuance of Breach Notifications to HIV Study Participants Delayed for 7 Months

The sensitive data of 24 female HIV patients were accessed by unauthorized individuals. Even if it’s been over 7 months since the breach was discovered, the affected women have not received breach notifications yet.

4 women took part in an EmPower Women research at the University of California San Diego (UCSD). They were diagnosed with HIV but had not sought treatment. The goal of the HIV research study was to learn why the women did not seek treatment. Did substance abuse, trauma, domestic violence or mental illness affect their decision not to seek treatment?  To help get patients who will participate in the study, UCSD worked with Christie’s Place, a non-profit organization which gives assistance to women clinically diagnosed with AIDS and HIV.

The 100 recruits for the study will be divided into two groups. One group will get free support and counselling services while the other group will have the option to receive standard assistance at Christie’s Place. The researchers will monitor the results of the two groups.

To track clinical care, the women’s names, audio recordings of interviews, and other sensitive data were collected and stored in a database. The database should have had access controls to ensure only authorized people can view the confidential information. However, anyone at Christie’s Place could access the database.

According to the inewsource investigation,  besides the exposure of the private and confidential data of research participants, the participants did not get breach notification letters despite UCSD’s knowledge of the privacy violation in October 2018.

A mental health professional informed lead researcher, Jamila Stockman, and associate professor at UCSD and Vice Chief of Global Public Health that all personnel, interns, and volunteers at Christie’s Place could access the database. She brought this to the attention of UCSD officials and pushed for the issuance of breach notifications in emails,  meetings and study reports. Because of the lack of action concerning the breach, Stockman halted the research in October 2018.

The inability to take immediate action and send breach notifications are tantamount to willful neglect of HIPAA Rules and will face the highest penalty. Nevertheless, the research was completely financed by the UC system and, so, is not covered by HIPAA Rules and is beyond the jurisdiction of the HHS’ Office for Civil Rights.

Christie’s Place was charged with deliberate inclusion of patient data to the database with complete knowledge that anyone can view it in an effort to blow up the number of patients taking part in the research and charge more services to the County of San Diego. That accusation was denied.

Christie’s Place gave a statement to inewsource verifying that its internal investigation determined there was no wrongdoing. Christie’s Place didn’t misuse client information; breach client information to blow up patient numbers; misrepresented the services provided; nor wrongly billed the County of San Diego.

After being informed concerning the breach, UCSD directed Empower Women to make a breach notification letter, but the delivery was repeatedly postponed. In March 2019, it was finally decided to notify the study participants concerning the breach, yet it was further delayed because UCSD wished to make certain that all research data was securely wiped out from Christie’s Place systems. UCSD plans to issue the notification letters 2-3 weeks from now.

The County of San Diego officials will carry out their own investigation of the incident and take the necessary action. Read the inewsource report here.