[BreachExchange] UCSD has not told women with HIV of data breach, despite researchers’ pleas

Destry Winant destry at riskbasedsecurity.com
Thu May 16 10:18:03 EDT 2019


https://inewsource.org/2019/05/14/ucsd-data-breach-hiv-women-study/

University of California San Diego officials stonewalled attempts to
notify women in an HIV research study that their confidential data was
breached more than seven months ago, an inewsource investigation has
found.

UCSD researchers conducting the EmPower Women study told university
officials in October that participants’ names, audio-taped
conversations and other sensitive materials were made accessible to
everyone working at Christie’s Place, a San Diego nonprofit supporting
women with HIV and AIDS. They called the situation “very serious” and
said the women affected are “within one of the most vulnerable and
marginalized populations.”

But internal emails, reports and meeting minutes chronicle months of
communication between lead researcher Jamila Stockman — who pushed for
telling two dozen women enrolled in the project about the breach — and
UCSD officials concerned about the consequences.

UCSD partnered with Christie’s Place to recruit subjects into a study
that would examine how their experiences with domestic violence,
trauma, mental illness and substance abuse affected their commitment
to HIV treatment. The women’s information was supposed to be kept
confidential and accessible only by authorized research staff.

According to university records, the breach occurred when Christie’s
Place managers intentionally stored all study information in a
database it uses to track patients receiving clinical care, which can
be accessed by anyone at the nonprofit, allegedly to “inflate” their
patient numbers and bill San Diego County for more services.
Christie’s Place denied that allegation.

In a statement, UCSD told inewsource it is working on contacting the
research subjects, a process it said will begin in about one to three
weeks. It blamed the delays primarily on one administrator who was put
on leave.

inewsource spoke with five experts in research ethics and data privacy
for this story, who all agreed it has taken UCSD far too long to
notify the women affected. One expert said “being transparent” is the
first step in these situations; another that he was “very concerned”
by the seven-month delay; and a third that the university’s response
“seems to violate the respect” for the research subjects.

“That’s just an unacceptable delay,” said Michael Carome, a former
associate director at the U.S. Office for Human Research Protections.

That office has oversight of many research studies – but not this one.
The EmPower Women project was funded entirely by the University of
California system, meaning the federal agency couldn’t monitor or
enforce how UCSD responded to the breach.

“Most people want to maintain control over their private medical
information, and a breach of that information can be emotionally
stressful,” Carome said. “It can be psychologically stressful, it
could potentially be damaging to personal relationships, perhaps
employment, perhaps insurability. So these types of breaches are very
serious problems.”

How the breach began

In 2016, Stockman began a study of HIV-positive women in San Diego
County who were not receiving treatment. The goal was to help them
improve their health.

Stockman, who is 42, has been performing studies like this for 15
years. She is an associate professor at UCSD and Vice Chief of Global
Public Health, researching HIV, domestic violence and substance abuse
in vulnerable populations across the U.S., Latin America and the
Caribbean.

Stockman has received more than $4.6 million in grants from the
National Institutes of Health. She also won the prestigious New
Investigator Award from the Centers for Disease Control and Prevention
Foundation for domestic violence research and an award from the World
Bank Group to study HIV-positive women in Brazil.

Stockman planned to enroll 100 participants in the EmPower Women
study. Half would receive frequent counseling and support sessions,
and half would have the option to use standard services available at
Christie’s Place, which has serviced families affected by HIV and AIDS
since 1996. Researchers would measure if the women in the two groups
had different health outcomes.

Twenty-four women had been enrolled in the EmPower Women study when
Stockman’s team first reported a data breach to the university in
October.

A mental health professional at Christie’s Place had told researchers
that all EmPower Women study files were being kept on a computer drive
meant to store data about patients receiving clinical care, not data
about study participants.

As a result, the research subjects’ personal information — which was
supposed to be password-protected and accessible only to authorized
researchers — could be viewed by all Christie’s Place staff, interns
and volunteers. That includes participants’ full names, study ID
numbers, appointment dates, survey responses, whether they were in the
experimental or control group, session attendance records and audio
files from focus groups conducted in English and Spanish.

The researchers were told that the files had been placed on the wrong
computer drive intentionally, because Christie’s Place allegedly
wanted to “inflate” the number of people it supports with clinical
care and bill San Diego County for those services, meeting minutes
say.

Kathleen Grove, the president of the Christie’s Place Board of
Directors, sent inewsource a statement that said the nonprofit
investigated that allegation and determined “that Christie’s Place did
not misuse client data, did not breach client data to inflate patient
numbers, did not misrepresent the services we provided, and did not
improperly bill the County of San Diego.”

Stockman decided to suspend the EmPower Women study in October after
unsuccessful attempts to resolve the breach.

The university filed a written grievance about the incident with the
Christie’s Place Board of Directors, which then conducted an internal
investigation. Christie’s Place Executive Director Erin Falvey and
Clinical Manager Dawn Marie Tol resigned on Oct. 15.

Falvey and Tol did not respond to interview requests for this story.

More than two-thirds of Christie’s Place’s annual budget comes through
San Diego County’s Public Health Services Department, which gives out
money from federal and state agencies to local groups supporting
public health causes like HIV treatment.

The county was not aware of the breach or the allegations about
Christie’s Place’s billing practices until contacted by inewsource
last Thursday. County spokesperson Michael Workman said the county
would “look into the issue and take all appropriate measures on our
end.”

Data breaches are common in research studies and health care. There
are more than 450 breaches currently under investigation nationwide by
the U.S. Department of Health and Human Services for exposing personal
health information, including at least 23 breaches at universities.

UCSD is ranked among the top research institutions in the country. It
secured $1.2 billion in sponsored research support in 2018, with $686
million going toward UC Health Sciences. Its scientists have made
breakthroughs in diabetes research, understanding cancer genes,
identifying early signs of autism and treating Alzheimer’s disease.

Even with extensive training and high-tech encryption, there is little
UCSD could have done to prevent this breach if it was caused
intentionally by someone with access to the research files.

“These data breaches happen for various reasons and will continue to
happen,” said Anand Sarwate, an assistant professor in computer
engineering at Rutgers University. “What institutions need to have is
a clear set of guidelines” on what to do when a breach occurs.

“A lot of the time, we set up these rules to prevent a problem, but
then we don’t have any way of cleaning up a problem,” Sarwate said.
“Once the problem has happened, people kind of scramble around.”

‘Authority and expertise’

UCSD researchers worked through front and back channels in their
search for solutions.

The front channel involved UCSD’s institutional review boards, which
meet once a month to review and approve research studies. Under
university policy, researchers have to inform their review board when
data breaches occur, and the board can then tell the researchers how
to address the problem. The board could require the research team to
amend the study plan, temporarily stop enrollment or shut down the
project entirely.

When the EmPower Women researchers reported the breach, the review
board told them to draft a letter to participants notifying them of
what happened.

But that notification was repeatedly delayed.

When EmPower Women program manager Kristin Gundersen, a UCSD employee,
contacted the review board for guidance, she was told to go through a
back channel: UCSD administrators and lawyers.

Gundersen sent an email on Oct. 17 asking if the researchers should
try to document the details of the breach.

Kip Kantelo, Director of the UCSD Human Research Protections Program,
told Gundersen the situation was beyond the review board’s “authority
and expertise.” Officials from UCSD Health Compliance Advisory
Services and university attorneys “should have input” moving forward,
he said in the email.

Kantelo is the administrator who oversees all of the university’s
human research review boards.

“As you point out, taking any additional steps to document and/or
remove the data could compound legal issues,” he wrote.

That same week, the review board sent its first official response to
the researchers about how to address the breach. The board told
Stockman and her team to prepare a letter to “currently enrolled
participants and families summarizing the issue” and send it to the
board for approval.

The letter was supposed to describe the “reason for suspending study,”
a plan to identify a new community partner to work with, “the status
of participant involvement” and “the status of participant’s data,
particularly those whose data ended up in Christie’s Place records,”
according to board meeting minutes.

Carome, the former research protections associate director, said the
review board’s initial response was reasonable and “seems to have
recognized appropriately the severity of what happened.”

“But the problem appears to be the failure to follow through on what
was I think an appropriate plan,” he said.

As the researchers tried to draft the letter, they did as Kantelo
suggested: They met with administrators in the campus compliance
office, the privacy office and with university lawyers.

The advice they received was different from the review board’s.

The board told researchers there would be a thorough investigation of
the breach, but Daniel Weissburg, chief compliance and privacy officer
for Health Compliance Advisory Services at UCSD, said the university
did not have jurisdiction to conduct an audit or investigate the
research files kept at Christie’s Place. The security of the data
could not be guaranteed.

Weissburg is no longer employed at UCSD. The university would not say
if he was the individual placed on leave because of the breach.

“My goal has been to give women a voice in scientific research and the
development of programs and services,” Stockman told inewsource in a
statement. “It is my utmost priority to protect the privacy and
confidentiality of research participants and I have and continue to do
everything in my power to ensure this is upheld.”

‘A holding pattern’

The researchers discussed their growing concerns in a meeting with
Kantelo on Dec. 12.

Kantelo told them he would contact attorneys in the University of
California Office of the President, based in Oakland, for advice. Any
plan to notify the participants of the breach would be forwarded to
attorneys “to confirm that language used will not create additional
legal risk,” Kantelo wrote in an email after the meeting.

“We all agreed that given the landmines involved, all other actions,
including any notifications to the county” or “other possibly affected
researchers would be deferred … pending further advice from the
(attorneys) or others,” Kantelo wrote.

The next day, the researchers received their second official response
from the UCSD review board. The board emphasized that its “primary
concern” is “notification of study participants,” meeting minutes say.

Almost a month went by before the researchers were informed of a plan.
In January, after the university’s winter break, Kantelo emailed them,
saying he had spoken with a lawyer in the Office of the President.

Now Kantelo proposed “limited points of notifications to subjects”
about the breach. He said the lawyers, compliance officers and review
board members involved agreed with the language.

The letter would tell participants that Christie’s Place was no longer
involved in the project and “UCSD is working with Christie’s Place to
make sure that your confidential data is completely transferred to the
UCSD study team and that any extra copies are destroyed.”

The letter would not mention the breach.

“Information about Christie’s Place should be limited to the above,”
Kantelo wrote.

Stockman asked Kantelo to “justify” this decision.

“To be candid, the below recommendations contradict our training as
researchers directly working with human subjects, the training on IRB
(institutional review board), HIPAA, Privacy, and Compliance, and with
the previous guidance we received” from the review board, Stockman
wrote.

“Can you please provide your reasoning behind this recommended new
course of action?”


More information about the BreachExchange mailing list