News of confidentiality breaches usually conjure up images of criminal masterminds who use advanced computer hacking techniques to steal personal information for personal gain.
And sometimes this is the case. In Dec. 2006, 800,000 UCLA community members, myself included, received an e-mail saying that personal information in a UCLA database had been accessed by “sophisticated hackers.”
Yet it doesn’t take technological expertise or malicious intent to access personal information. Often these instances of snooping arise from employees who can easily access confidential records and are curious about their contents.
For example, celebrities often attract their attention.
Last month, 13 UCLA Medical Center employees were fired and several others were disciplined for accessing Britney Spears’ medical records. Just last week, the Los Angeles Times reported that another employee had been let go for viewing the confidential file of ’70s “Charlie’s Angels” icon Farrah Fawcett, who had been receiving cancer treatment.
“It’s not only surprising, it’s very frustrating and it’s very disappointing,” Jeri Simpson, director of human resources, told the Associated Press after the Spears incident.
Though the Spears and Fawcett cases are the ones that received media attention, employees in offices campus-wide can easily find themselves snooping in the files of normal people going about their daily lives at UCLA. These types of privacy invasions, though not as often reported, should also raise concerns.
I spoke with an undergraduate volunteer employee in patient affairs at the UCLA Medical Center who has been working there for just over a year. She said she has often been tempted to look up names of people purely out of curiosity, such as when a colleague was booked for surgery.
“I would never go hunt in the dark and break into somebody’s office to find stuff out. … Sometimes if you see a last name that looks familiar, it’s tempting to do a bit more digging just to see if it’s someone you know,” she said.
A group of her coworkers attempted to look up Britney Spears’ medical file the morning the pop singer was booked.
“Some of the employees started asking what room she was in. We all share the same user names and passwords when we’re sitting in the office, and someone just sat down and typed her name into search,” said the undergraduate, who was never disciplined for the action.
“We realized it wasn’t a good idea, but in the moment, it was just exciting to be able to find out where she was,” she said.
U.S. medical employees who deal with confidential records must undergo training in accordance with the Health Insurance Portability and Accountability Act of 1996, Title II, which requires “protected health care information” to be carefully regulated by the various parties who obtain access to it.
Following the Fawcett incident, the UCLA Medical Center released a statement saying, “All staff members are required to sign confidentiality agreements as a condition of their employment and complete extensive training on HIPAA-related privacy and security issues.”
The student I spoke with went through HIPAA training, yet still said she felt unsure about where to draw the boundaries.
“It’s definitely not extensive training by any means. … You take a quiz online with (hypothetical) scenarios, but it’s all very black and white, unlike what you’d actually run into. … It only took me about five minutes to complete,” she said.
In the Office of Undergraduate Admissions, I spoke to a former employee who worked there for approximately eight months as an undergraduate in the 2006-2007 school year. Like the medical center, the office deals with thousands of private records. Employees must sign confidentiality agreements and sit through an hour-long training session on the subject.
“We had access to all types of contact information ““ full name, address, e-mail, phone number, social security number … basically all the information listed in their application, including grades,” said the employee.
“It was tempting to look up the records of both friends and high-profile people, like famous people who had applied and popular athletes. … Some of my co-workers and I would look up people out of curiosity, but I never gave anybody’s personal information to anybody else,” said the employee.
The employee said she had looked up the GPAs of several friends and discovered in Feb. 2007 that a friend applying to UCLA had not been admitted, though she didn’t tell anyone.
As the California Department of Public Health launches an inquiry investigating the Fawcett case, I hope that all bureaucratic departments on campus can take steps to ensure that their employees are respecting the privacy of their co-workers, patients and fellow students.
Yet the onus essentially falls on the employees themselves to practice integrity in the workplace, as there seems to be an almost innate human desire to snoop.
Regardless of whether the intentions are innocent or malicious, such information is incredibly sensitive and deserves to be kept private, for both celebrities and private citizens.
E-mail Noble at bnoble@media.ucla.edu.