UCSD Has Not Told Women With HIV Of Data Breach, Despite Researchers’ Pleas
KPBS Midday Edition Segments / May 15, 2019
University of California San Diego officials stonewalled attempts to notify women in an HIV research study that their confidential data was breached more than seven months ago, an inewsource investigation has found.
Speaker 1: 00:00 24 women with HIV had their personal information exposed in an October data breach in a Uc San Diego research study. More than seven months later, the women's still haven't been told that it happened. I knew source investigative reporter Jill Castillano has the story.
Speaker 2: 00:18 In 2016 Uc San Diego researcher, Jamila stockmen had an idea she wanted to encourage HIV positive women to get treatment, so she proposed a study where they'd have regular support sessions to confront their experiences with trauma, domestic violence, and mental illness. Then she figured they may be more prepared to confront HIV.
Speaker 1: 00:39 I developed this interest way beyond my undergraduate training.
Speaker 2: 00:44 Here she is speaking in 2013 okay,
Speaker 1: 00:46 and I've been fortunate and blessed to be able to continue to develop a research agenda surrounding these issues among vulnerable populations.
Speaker 2: 00:55 Stockman partnered with the San Diego nonprofit called Christie's place to enroll two dozen women into the study. Along the way, all their data was put on the wrong computer server at the nonprofit. The breach meant anyone at Christie's place could view their names, survey responses, and taped conversations. How big a deal is that? Here's a ucs SD privacy officer talking about patient data in a campus podcast that is still
Speaker 1: 01:22 somebody's data. So if you do have personal information about someone, think about what would happen if that data were to be compromised in some way or to be misused in some way. That's not something you want to see on the front page of a newspaper,
Speaker 2: 01:38 Stockman and her research staff at ucs Dee told the university officials about what happened in October. They were told to draft a letter notifying the women that their personal information was exposed seven months later. That letter still has not been sent,
Speaker 3: 01:54 but the problem appears to be tailored. Follow through. Um, um, what, uh, what was an upper, I think inappropriate plan.
Speaker 2: 02:02 Michael [inaudible] is a former associate director at the U S Office for human research protections.
Speaker 3: 02:07 The reasons for the delay just are completely unclear and almost certainly not acceptable.
Speaker 2: 02:13 Emails obtained by I knew source show the director of UCS, Ds Human Research Protection Program. Kip Cantaloupe told Stockman and her colleagues not to mention the data breach in the letter to participants. The university worried that telling the women what really happened could expose the school to more liability.
Speaker 3: 02:32 Pulling up that document.
Speaker 2: 02:34 C K Gonzales is the director of the National Center for professional and research ethics. She looked through all the records I knew source has about the data breach
Speaker 3: 02:43 from the documents I reviewed. I don't understand how the responsibilities to these vulnerable subjects are being fulfilled and it appears that the subjects are coming last in the considerations and I don't understand that
Speaker 2: 02:56 in a statement you see s d said the month delay and telling the participants what happened was mostly due to a single administrator who failed to fully examine all the facts. You CSD wouldn't say who that was, but said the administrator is now on leave. The statement also said the university is planning to talk to the women affected by the breach in face to face meetings, which will begin in about one to three weeks. You've CSDS statement too. I knew source, read quote, the privacy and protection of study participants were and continue to be a paramount journey. Me Is I knew source investigative reporter Joe Castillano. Jill, welcome. Thank you. So is this breach of security UC San Diego's error or only Christie's place since they apparently put the information in the wrong place? This was Christie's places doing and whether or not it was an error or intentional is actually a discussion.
Speaker 2: 03:52 So the University of San Diego documents say this was intentional by Christie's place managers. They knew that the data was supposed to be password protected and confidential, but that the data was actually put on a different server that was supposed to store information about clinical patients at the nonprofit. And by doing so they could report these participants as patients when they send information to the county to bill for extra services. So the allegation is that they were trying to inflate their units of service to the county and receive more funding. Can you elaborate on what kind of information was available because of this breach? Yes. Pretty much every piece of information that's a part of this study was made available on a server where it wasn't supposed to be giving lots of people access who weren't supposed to have it. So that includes names, addresses, survey responses, audio taped focus group conversations, whether the participants were getting a control group or a treatment, um, all the informations about the ongoing sessions that they were having to talk about their trauma and their experiences with mental illness and things of that nature.
Speaker 2: 05:05 Besides the allegation that this was used to increase billing to the county, is there any indication that this information has been accessed or used inappropriately? We can't really know. So it appears according to UCFD that Christie's place has not been cooperating. They've asked Christie's place to remove the data and have not gotten an answer from Christie's place. Whether that's happened or not, according to the security experts we've talked to, the situation is kind of like once, once the cat's out of the bag and the information is out there, it's very hard to know whether anyone has taken it off of that server, provided it to other people. It's might, we might never know. Now when the UC San Diego Human Research Protection Program director apparently told researchers not to alert the women involved, have you been able to find out what he intended to do instead? In other words, was he advising the data breach just be covered up?
Speaker 2: 06:03 He was advising them to send a letter to participants, but all the letter was going to say is we're not working with Christie's place anymore and we're transferring all your data over to ucs d and it specifically was not supposed to include any other information in in it, including the fact that there was a data breach and that their confidential information was exposed. So it was kind of a halfhearted notification. It's a sad irony that privacy was supposed to be a big part of these support sessions. So my question is, have the sessions stopped? Has the research shutdown? The sessions have stopped immediately. As soon as the lead researcher, Jamila Stockman found out that there was a breach. She suspended the study and tried to work with Christie's place to resolve it. She couldn't and she reported the bridge to Ucfd and took all the proper measures.
Speaker 2: 06:56 So as of this point there are, there's no ongoing treatment for these women and we'll see whether they want to start this study again. Once all of these issues are taken care of. Also the school is about to start one on one sessions to inform these women that their information was not secure. Do the women have the option to sue? Well, I'm not a lawyer so it's hard for me to say, but it will be interesting to see the language in the description that the university gives to these women. I'd be curious to know are they going to explain why it's taken seven months and are they going to tell, tell them what their legal options are? I'm not really sure. This feature is part of a series of reports. I knew sources doing on ways that institutions failed to protect the people who enroll in research studies.
Speaker 2: 07:41 Was there any federal agency that was supposed to be watching over what happened at ucs after the breach occurred? Well, this is a really interesting case study because most studies research studies are federally funded or many of them are and when they're federally funded through an agency like the national institutes of health, that means that there are some sort of bureau or department that can make sure that you're doing the right thing as a university when issues occur, oftentimes that's the office of human research protections. A federal agency that is supposed to protect women like the women in this study, they're usually notified when breaches occur and they're supposed to make sure that they're handled appropriately. Here's the thing. In this case, this was a study that was funded internally by the UC system itself. They gave the UC researchers of grant to do this study, which means there wasn't federal oversight from this agency, but it sounds like you're going to be continuing to watch this story. We definitely will be. I've been speaking with, I knew source investigative reporter, Jill Castellano. Jill, thank you. Thank you. To read more about the university's response to the data breach, go to, I knew source.org/risky research. I knew source is an independently funded nonprofit partner of KPBS
Speaker 4: 08:57 [inaudible].