A UCLA Medical Center worker who sneaked into the confidential medical records of '70s TV icon Farrah Fawcett last year also improperly viewed the electronic files of 32 other celebrities, politicians and high-profile patients, including California first lady Maria Shriver, according to interviews with hospital and state officials Sunday.
The breaches expose UCLA to state sanctions and amount to a major embarrassment for one of the nation's preeminent medical centers. The UCLA employee allegedly looked up information on noncelebrity patients as well, accessing 61 patients' records without permission in 2006 and 2007, state and hospital officials said.
"We are very concerned by what appears to be a pattern of repeated violations," said Kim Belshe, secretary of the state's Health and Human Services Agency.
"It's not a question of will we take action," she added. "It's determining what level of action to take."
UCLA said it learned about the widespread breaches last May and terminated the employee the same month. Officials would not provide her name or title but said she did not work in direct patient care. Employees in such departments as billing and admitting also have access to medical record systems.
For The Record
Los Angeles Times Tuesday, April 08, 2008 Home Edition Main News Part A Page 2 National Desk 1 inches; 44 words Type of Material: Correction
UCLA: A Section A article Monday on breaches of the private files of UCLA patients said Dr. David Feinberg joined UCLA in July. He became chief executive of the UCLA Hospital System in July; before that he was medical director of UCLA's neuropsychiatric hospital.
In an interview Sunday, Dr. David Feinberg, chief executive of the UCLA Hospital System, apologized for the breaches. He described the employee who snooped as "rogue."
"This person should not have been looking at those records," he said.
Based on a review of the employee's e-mails and phone calls, he said, the hospital found no evidence that the information was leaked to tabloids or otherwise was shared inappropriately.
Feinberg acknowledged that UCLA had not notified the affected patients, nor did it inform state health regulators or criminal authorities about the problems. The privacy of medical records is protected under state and federal laws, which carry such penalties as prison terms, fines or both for inappropriately accessing or selling such information.
UCLA officials initially determined that alerting authorities and the patients involved was not required, but they are reconsidering whether to notify the patients.
"As this becomes more public, that may change our minds," said Feinberg, who joined UCLA last July.
He pledged that UCLA would work closely with the state Department of Public Health in its investigations. But he also said the medical center had since last May made "great strides" in improving the security of its systems to decrease the risk of privacy violations.
UCLA would not identify others whose privacy was breached, citing patient confidentiality rules.
State regulators began investigating last month after The Times reported that the hospital was firing 13 workers and disciplining 12 others for snooping in pop star Britney Spears' records during her stay in UCLA's neuropsychiatric unit earlier this year. At the time, UCLA told the newspaper -- and state regulators -- that the Spears breach was an isolated event.
Then last week, The Times reported that a different UCLA employee had repeatedly looked at records of Fawcett, who was receiving cancer treatment at the hospital last year.
Fawcett's lawyers told the newspaper they were concerned that details about her cancer treatment may have been leaked or sold to tabloids, including the National Enquirer, because a number of sensationalized reports were printed soon after her visits there. A story under the headline "Farrah's Cancer Is Back!" was published before the actress was able to tell her son about the recurrence, her representatives said.
When asked last week if there were other recent high-profile breaches along the lines of the ones involving Spears and Fawcett, UCLA's chief compliance and privacy officer Carole A. Klove said, "Not to my knowledge." A UCLA spokeswoman said Sunday that Klove was referring only to current cases.
While looking into the breaches in Fawcett's case, a state inspector discovered the other violations Friday. The state Department of Public Health said it now has several investigations underway, and it is working with the federal government.
"UCLA assured us -- the state -- that the initial breach [of Spears' records] was an anomaly," Belshe said. "And we have since learned that, simply put, it is not anomalous."
The latest development at UCLA highlights the irony that as privacy laws have become stronger, the computerization of medical records can increase the risk of unauthorized scrutiny.
Such widespread breaches, however, appear to be rare. Computers allow UCLA and other hospitals to track which employees call up individual records.
In Spears' case, Feinberg said, UCLA was able to quickly identify trespassers and take almost immediate action against them, demonstrating that the medical center had learned from previous lapses.
Shriver and Gov. Arnold Schwarzenegger were notified Friday evening that her records had been viewed inappropriately, state officials said Sunday.