43b)

cox-3mm

10S,
 NORMA LOZANO, individuallyGELES, JOHN
FINLEY, and Does 1-25,

ALEXANDER KRAKOW GLICK LLP

J. Bernard Alexander (State Bar No. 128307)

Brett C. Beeler (State Bar No. 287749)

401 Wilshire Boulevard, Suite 1000

Santa Monica, California 90401

T: 310 394 0888 F: 310 394 0811

E: 

E: 

oomeoemao COPY
- omemaa mean

So erior Qeurt o? 
moiety of late Aogmoe

JUN. 8412015

Sherri  Garter, Eineeutlua Q?leet/
SUPERIOR COURT OF THE STATE OF CALIFORNLABV Raul Sanchez, BEDUW

Attorneys for Plaintiff
NORMA 

FOR THE COUNTY OF LOS AN GELES

Case No. BC505419
behalf of all others similarly situated,

Plaintiff,
Filed: April 9, 2013

Assigned to H011. Mary Strobel
Dept: 32

VS.

THE REGENTS OF THE UNIVERSITY
OF CALIFORNIA, UNIVERSITY OF PLAIN MEMORANDUM OF
POINTS AND AUTHORITIES IN
OPPOSITION TO THE REGENTS OF
THE UNIVERSITY OF 

. MOTION FOR SUMMARY JUDGMENT

D. EDWARDS, M.D., MARK G. YUDOF,

inclusive,
Defendants. Date: July 8, 2015

Time: 8:30 am.

Dept: 32

 

 

TO THE HONORABLE COURT, ALL PARTIES AND THEIR ATTORNEYS OF
RECORD HEREIN: PLEASE TAKE NOTICE THAT Plaintiff submits the following
Memorandum of Points and Authorities in Opposition to Defendant?s Motion for Summary

Judgment.


1 

 

 

 

OPPOSITION TO DEFENDANT MOTION FOR SUMMARY IUDGMENT

Clerk

 






 

II.

VI.

 

TABLE OF CONTENTS

SUMMARY OF ARGUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SUMMARY OF FACTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
THE STANDARD ON SUMMARY JUDGMENT . . . . . . . . . . . . . . . . . . . . . . . . . . .

DEFENDANT UC NEGLIGENTLY RELEASED CONFIDENTIAL

INFORMATION IN VIOLATION OF THE CMIA . . . . . . . . . . . . . . . . . . . . . . . . . . .

A. Defendant UC "Released" Plaintiffs Medical Information Through Poor

Maintenance of its Medical Records System . . . . . . . . . . . . . . . . . . . . . . . . . . .

Defendant UC was Negligent Under the CMIA . . . . . . . . . . . . . . . . . . . . . . . .

Similar EHR System Procedures By Medical Centers Does Not Preciude

a Finding of Negligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
D. Defendant UC Was the Legal Cause of Plaintiffs Damages . . . . . . . . . . . . . . .

1. Defendant Must, But cannot, Prove That Any Additional Intervenng

Cause of Plaintiffs Injuries Was Not Foreseeable . . . . . . . . . . . . . . . . .

2. Defendant Cannot Conclusiver Show That Any Intervening Cause

of Plaintiffs Injuries Was Not Foreseeable . . . . . . . . . . . . . . . . . . . . . .

i. Foreseeability is a Broad Standard . . . . . . . . . . . . . . . . . . . . . . .

ii. The UC Could Foresee Additional Intervening Causes of

Plaintiff's Injuries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DEFENDANT CONDUCT INVADED RIGHT Defendant UC's Conduct Constituted. More Than an Insubstantial Impact

on Plaintiffs Privacy Interests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

B. The General Public Interest in Electronic Medical Records is Not at Issue . .

 Legal Cause of Plaintiff?s Damages . . . . . . . . . . . . . . . . . . . . . . . . . . 21

.22

 



TABLE OF Apmomnes
CASES
Adickes v. SH. Kress Co,
398 US. 144 (1970Aguilar v. Atlantic Richfield Co. 
25 Cal. 4th 826 (2001Atkins v. County ofSonorna,
67 Cal. 2d 185 (1967Bigbee v. Paci?c Tel. Tel. Co.
34 Cal. 3d 49 (1983Board of Med. Quality Assurance v. Gnerardini
93 Cal. App. 3d 669 (1979Brewer v. Teano
40 Cal. App. 4th 1024 (1995handa v. Federal Home Loans Corp.
215 Cal. App. 4th 746 (2013line v. Watkins.
66 Cal. App. 3d 174 (1977ollins v. Navistar, Inc.
214 Cal. App. 4th 1486 (2013County ofLos Angeles v. Los Angeles County Employee Relations Com.
56 Cal. 4th 905 (2013Flowers 1). Torrance Mem 7 Hosp. Med. Ctr.
8 Cal. 4th 992 (1994Foreman Clark Corp. v. Fallon
3 Cal. 3d 875 (1971..7
IGonzalez v. Derrington
56 Cal. 2d 130 (1961..18
Hernandez v. Badger Const. Equip. Co
28 Cal. App. 4th 1791 (1994Hernandez v. Hillsides, Inc.
47 Cal. 4th 272 (2009Hill v. Nar?l Collegiate Athletic Ass ?n
7 Cal. 4th 1 (1994Holt v. Dep of Food (E: Agric. 
171 Cal. App. 3d 427 (1985


OOH-1 ON ~52- UJ NO

In re Estate of Flint

 

100 Cal. 391 (1893.20
Jackson v. Ryder Truck Rental, Inc.
16 Cal. App. 4th 1830 (1993Kwaitkowski v. Superior Trading Co.
123 Cal. App. 3d 324 (1981Leonard v. Watsonville Community Hospital
47 Cal.2d 509 (1956Los Angeles Gay and Lesbian Center v. Superior Court
194 Cal. App. 4th 288 (2011Massey v. Mercy Med. Ctr. Redding
180 Cal. App. 4th 690 (2009Merrill v. Navegar, Inc.
75 Cal. App. 4th 500 (1999Pettas v. Cole
Cal. App. 4th 402 (1996Poazbaris v. Prime Healthcare Services~Analzeim, LLP
236 Cal. App. 4th 116 (2015eaglz v. San Francisco Unified School District
119 Cal. App. 2d 65 (1953egents ofthe University of California 12. Superior Court
220 Cal. App. 4th 549 (2013Gap, Inc.
540 F. Supp. 2d 1121 (NB. Cal. 2008Schance v. H0. Adams Tile Co.
131 Cal. App. 2d 549 (1955Schrimslzer v. Bryson I
58 C211. App. 3d 660 (1976Tolan v. Cotton
134 1861 (2014Walrath v. Sprinkel
99 Cal. App. 4th 1237 (2002[Wise v. Payless, Inc.
Cal. App. 4th 1296 (2000




 

TATUTES
alifornia Civil Code
??56.?56.101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
IFTHER AUTHORITIES
IRestatement (Second) of Torts 448 (1965din-MEMORANDUM OF POINTS AND AUTHORITEES
E. Summary of Argument.

This lawsuit seeks monetary damages and injunctive relief against Defendant Regents
of the University of California for negligent maintenance and preservation of
con?dential patient information. Plaintiff Norma Lozano?s electronic medical records were
breached while stored in the UCLA electronic health record system. Plaintiffs EHR
records were accessed by complete strangers, without Plaintiffs knowledge or permission, and
then maliciously disseminated to third parties. The protectors of Plaintiff private medical
records, UC, had no knowledge of this breach, and no means of detecting the breach. Were it
not for happenstance, Plaintiff would never have discovered that the breach occurred.

This invasion of privacy resulted from two acts of negligence: on a routine basis,
and despite UC training and periodic reminders, Defendant Dr. John D. Edwards (?Edwards?)
authorized his unsupervised staff to access the EHR system using only his password; and, (2)
UCLA maintains an ?Open access? EHR system, which allows all physicians to access all
records of over four (4) million patients, without any effort to place limitations on access. Any
physician with a password, regardless of the absence of a physician-patient relationship, can
access any record.

In its motion, the UC juxtaposes two false, con?icting premises as justification for
taking nominal measures to protect the private patient records of four million patients. The
UC asserts that it did everything reasonable to prevent the unauthorized sharing of passwords
by physicians, then simultaneously argues that unauthorized sharing of passwords by
physicians is unforeseeable and thereby excuses any negligence committed by UC.

The UC is well aware of previous instances of improper password sharing. To argue
unforeseeability is therefore disingenuous. However, the ?awed security of the EHR system
?ows from reliance on password access. alone and the unrestricted access allowed such access.

Based on issuance of a password alone, defendant UC presumes that access to the EHR
is for a valid reason. As demonstrated in great detail below, the reliance on passwords

alone as a security measure is a false panacea, which is used to justify turning a blind to

2
TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 



security ?aws inherent to its system. Indicative of this, the UC had no knowledge of the
breach of Plaintiff Lozano?s medical records accessed with Dr. Edward?s password, and no
adequate means of detecting the breach. UC did not discover and investigate the breach until
Plaintiff brought it to the attention. Thus, system is devoid of reasonable
safeguards necessary for preventing unauthorized access, or notifying patients of access, so
that the patient can determine if the access was an unauthorized breach.

The breach of Plaintiff?s records can be traced to faulty EHR system. Once a
password is issued to a doctor, unwarranted trust is accorded to any use of the password, in
lieu of a genuinely secure detection system. As Plaintiffs EHR expert, Adrian Gropper, M.D.,
states, the UC failed to incorporate multiple security measures into the BER system which
could have prevented the breach of Plaintiff medical records, or provided direct noti?cation
to Plaintiff that her records had been accessed, allowing her to ascertain that a breach
occurred, and take action to prevent further damage.

Dr. Gropper faults the UC for having no multi-factor authentication requirement, no
monitoring for password abuse, no email alerts to patients, and no identi?cation and limitation
of access for less trusted physician populations. Instead, the UC relies on a physician honor
code to ward against password sharing and abuse, even in the wake of widespread reports of
such Violations by physicians and their assistants. The system inappropriately trusts all
physicians equally and fails to limit or flag access that should be parsed between employee
physicians and non-employee physicians and their staff, and between identi?ed treating
physicians and physicians who have had no previous contact with a patient?s records.

Stated differently, Defendant UC gave out thousands of keys which could access its
house and the millions of highly sensitive records stored within it. The UC could have
required less trusted users non-employee physicians such as Dr. Edwards and his staff,
who had never previously accessed Plaintiff?s file before) to use multiple, different keys to
access the honse. The UC could have imposed a security system that allowed tracking and
review of the electronic access trail. The UC could have installed a simple alarm system that
?agged access by non~preauthorized physicians, all while still pennitting entry for emergency

3
TO DEFENDANT MOTION FOR SUMMARY 3UDGMENT

 

Limb-.purposes. Instead, the UC opted for blind reliance on a single access password, the nominal
level of security placed on simple, everyday email accounts, thereby placing millions of
intensely private medical records at risk.

The crutch relied upon by the UC for staving off a negligence trial is the argument that
other medical centers are equally lax in their maintenance of patient medical records. Even if
this were true, conformity with the negligent practices of other medical centers does not justify
the practice of exposing the records of over four million patients to breach. Whether the
nominal protections provided by the EHR system were unreasonable, and therefore
negligent, is a question of fact for the jury.

11. Summary of Facts.

 

Defendant UC maintains the UCLA Health System?s electronic patient records system.
(Disputed Fact 59) electronic medical records system contains the private
medical records of over four million patients. (DF 64) Plaintiff is a patient of a doctor
af?liated with UCLA. As a result, her con?dential medical information is stored in the UCLA
Health System?s electronic patient ?le system. (DF 125)

Physicians af?liated with UCLA are issued passwords which allow them full electronic
access to patient medical records. (DF 61) Hundreds of UCLA employee and non~employee
physicians are issued these passwords. (DF 65) Use of the password allows complete access to
the entire medical ?le of every patient in the system. (DF 61) UCLA received at least ?fteen
(15) privacy complaints regarding password sharing between May 2010 and 2013, 90~100% of
which resulted in discipline by UCLA. (DF 69, 70)

On September 5, 2012, Plaintiff noti?ed. UCLA that the previous day, an employee of a
UCLA?affiliated. physician (Dr. John D. Edwards) had gained access to and. photographed
Plaintiff?s medical records, and sent them to at least two individuals: the father of Plaintiff?s
child and his err-girlfriend, along with a text message accusing Plaintiff Lozano of having a
communicable disease. (DF 50, 56) UCLA was unaware that Plaintiff Ms. Lozano?s
confidential medical records had been breached until Plaintiff informed UCLA. (DF 1 1 1)

Dr. Edwards is a employed physician. (DF 80) As a UCLA-

4
OPPOSITION DEFENDANT MOTION FOR SUMMARY JUDGMENT

 

42>.

somumm

affiliated physician, UCLA issued Dr. Edwards a password which allowed him to access and
View all records within the UCLA electronic records system. Because Dr. Edwards has
privileges to see UCLA patients as part of his private practice, he was granted full access. (DF
61, 81) In order to run his of?ce unencumbered, Dr. Edwards routinely shared his UCLA-
provided password with his medical staff so they could access patient records for him. (DF
87). Alexies Price, a part-time assistant, used Dr. Edward?s password to access Ms. Lozano?s
medical records. (DF 56, 125) Plaintiff Lozano was never a patient of Dr. Edwards, and never
authorized him nor anyone else in his of?ce to View her records. (DF 86)

Like all physicians granted password access to the UCLA EHR system, UCLA trained
Dr. Edwards twice a year regarding policy that physicians not share passwords. (DF
38, 40) Dr. Edwards was reqaired to sign a confidentiality statement. (DF 41) Dr. Edwards
was also included on mass emails, which contained warnings and reminders of the
policy against password sharing. (DF 18) However, Dr. Edwards does not remember receiving
these emails and was unaware that it was forbidden to share his password with staff. (DF 18)
UCLA did not directly train Dr. Edwards? staff regarding its access policies and use of its
medical records system or require that he train them in any way whatsoever. Instead, it was
policy to only train those to whom it distributed passwords. (DF 1 14, 117)

Following Plaintiffs report, UCLA con?rmed that Dr. Edward?s password was used on
September 4, 2012 to access Plaintiffs medical lab reports. (DF 57) Violation of 
password policy resulted in imposition of a nominal $500 fine against Dr. Edwards,
requirement that he undergo HIPAA education, and placement of a letter in his Credential ?le
referencing the breach, but no notification to the California medical licensing board. (DF 88).

The UC EHR system allows UCLA to place a ?break the glass? feature on medical
records. ?Break the glass? requires individuals attempting to View a patient medical records to
re?enter their password a second time, and select the reason for Viewing. (DE 119) ?Break the
glass? purportedly provides an effective extra layer of security, because if ?someone sees the
break the glass warning, they may not enter the medical record.? (DF 120) UCLA
automatically places ?break the glass? on the EHR of a select minority of patients, including

5
OPPOSITION TO MOTION FOR SUMMARY JUDGMENT

 






celebrities, patients, and domestic violence victims. (DF 123) The ?break the
glass? feature was not present on Plaintiff Lozano?s records at the time they were breached.
(DF 122) UCLA ?rst applied ?break the glass? to Plaintiff 3 records after she informed UCLA
that her records had been distributed to third parties. (DP 122)

UCLA employs its own teams of coders who create and manipulate the software of the
EHR system. (DF 60) The system has been crafted to provide the following features:

0 Both preceding the breach of Plaintiff Lozano?s records and up until today, 
policy and practice for access to the EHR system called for use of a single password to
permit access to the electronic medical records of millions of patients, including
Plaintiff Lozano. (DF 61-64) Physicians are not required to accompany password use
with a companion physical ?token? that assures the identity of the user. (DF 102)

9 UCLA does not apply the ?break the glass? feature to limit access by certain physician
populations. (DF 129) UCLA limits its application of ?break the glass? out of a
concern for patient safety which might be jeopardized by the extra one to ?ve seconds it
takes to ?break the glass? in a medical emergency. (DF 126) UCLA contends that the
danger of these few seconds outweighs concerns over patient privacy. (DF 126)

a In terms of detection of unauthorized breaches, UCLA only actively monitors the access
logs for medical records of ?persons of interest?, to look for unauthorized access. (DF
113) No automated email notice is given to patients when their medical records have
been accessed by a non-?previously authorized physician. (DF 135)

UCLA identi?es a myriad of potential reasons why physicians might access an EHR.
(See, DF 23?30), but fails to acknowledge that these access points provide potential camou?age
for unauthorized access. (DP 118) UCLA has failed to implement a system for detecting and
determining whether access is being gained for a legitimate reason. (See DF 131, 134, 141)
The Standard on Summary Judgment.
The Court should not grant summary judgment unless there is no triable issue as to any
material fact and the moving party is entitled to judgment as a matter of law. Aguilar v. Atlantic
Rich?eld C0. (2001) 25 Cal. 4th 826, 843. ?Summary Judgment is a drastic remedy that is to

5

 

 

OPPOSITION T0 DEFENDANT MOTION FOR SUMMARY JUDGMENT

 






 

be used sparingly, and any doubts about the propriety of summary judgment are to be resolved
in favor of the opposing party.? Walrth v. Sprinkel (2002) 99 Cal. App. 4th 1237, 1240.

In asking the court to grant summary judgment, the moving party must set forth all
evidence, not just the evidence favorable to it. To do otherwise is to mislead the court as to the
state of the discovery record. Foreman Clark Corp. v. Fallon (1971) 3 Cal. 3d 875, 881
as defendants here contend, ?some particular issue of fact is not sustained, they are
required to set forth in their brief all the material evidence on the point and not merely their
own evidence?). The United States Supreme Court recently emphasized that ?courts may not
resolve genuine disputes of fact in favor of the party seeking summary court
must view the evidence ?in the light most favorable to the opposing party.? Talon Cotton
(2014) 134 1861, 1866 (quoting Adickes 12. SH. Kress (if: C0. (1970) 398 U.S. 144, 157).
In Talon, the Court took the rare step of granting certiorari for a summary judgment case in
order to reiterate the danger of ?credit[ing] the evidence of the party seeking summary
judgment and fail[ing] properly to acknowledge key evidence offered by the party opposing
that motion.? Id. at 186768.

EV. Defendant UC Negligentlv Released Con?dential Information ln Violation of the


To state a violation of the California Con?dentiality of Medical Information Act
Plaintiff must allege (1) con?dential medical information of the patient, (2) was
released or disclosed, (3) by a provider of health care, health care service plan, or contractor,
(4) without authorization of the patient, and (5) outside the statutorily mandated exceptions to
disclosures of this medical information. Cal. Civ. Code ?56.10. Additionally, a violation of the
CMIA occurs when a health care provider negligently maintains, preserves, or stores a patient?s
medical information. Cal. Civ. Code ?56.101. As explained in detail below, material facts
exist upon which a reasonable jury could find that UC released Plaintiffs medical records
through its negligent maintenance of the UCLA EHR system.

A. Defendant UC ?Released? Plaintiff?s Medical lnformatlon Through Poor

Maintenanee of its Medical Records System.

7
OPPOSITXON TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 



Negligent storage, maintenance, and preservation of patient data is precisely the danger
that the California Legislature intended to protect against by enacting the CMIA, Cal. Civ.
Code et. seq. This is made clear by both the plain language of the CMIA, and the recent
holding in Regents oft'he Univ. ofCaZ. v. Superior Court (2013) 220 Cal. App. 4th 549.

The court in Regents explained that ?to release? is a broader term than ?to disclose? and
that the Legislature intentionally, rather than super?uously, used both terms within the same
statutory scheme, in order to clearly charge health care providers with the ?duty not only to
refrain from unauthorized disclosures of con?dential medical information but also to maintain
such information ?in a manner that preserves the confidentiality of the information contained
therein?-? storagewrelated duties far broader than the duty created. by section 56.10.? Id. at
565-66. health care provider who has negligently maintained con?dential medical
information and thereby allowed it to be accessed by an unauthorized third personwthat is,
permitted it to escape or spread from its normal place of storagemnlay have negligently
released the information within the meaning of Id. at 565 (emphasis added). A
?release? occurs when a health care provider?s poor maintenance and failure to protect records
causes thorn to escape from storage.

Guidance is provided in footnote 12 of Regents, which states that an ?action may be
brought ?against any person or entity who has negligently released con?dential information 
rather than brought by a person whose confidential information has been released.? Id. at 565.
Thus, footnote 12 was added to ensure that a plaintiff identify behavior which led to an
unauthorized access of confidential information, rather than assert a release simply because
unauthorized access occurred. Here, a question of fact exists regarding accountability for
continual inadequate maintenance of the UCLA EHR system, which released Plaintiff?s
medical records to third parties.

This Court has already found, in overruling demurrer on this issue, that 

af?rmative decision to maintain its medical information in an ?unrestricted system? made

8
OPPOSITZON TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 



possible the unauthorized viewing.? Ex. 7, at 4-.2 The undisputed facts con?rm the basis for
the Court?s determination, that millions of UCLA patient records are unreasonably exposed to
?release? to anyone with a password, which constitutes a ?release? under the CMIA.

Defendant argues that no reasonable jury could ?nd a ?release? of information because
its policies were consistent with standard practices of other large medical centers; and, because
a more technologically restrictive design would jeopardize patient safety. (MSJ, 8:24~25:7)
However, even if practices were customary in the industry, this would not preclude a
jury ?nding that UCLA and other medical institutions were guilty of a ?release? of information
in violation of the CMIA. The con?icting expert opinions provided by Plaintiff and Defendant
as to whether the policies and procedures of the UC and other medical centers were
unreasonable, both as to the unfettered access provided based on a single password, and the
failure to directly train non-employee physician staff or prevent or detect their unauthorized
password use, cannot be resolved on summary judgment. The reasonableness of 
policies and procedures is a question of fact for the jury.

3. Defendant UC was Negligent Under the CMHA.

Negligence is the failure to exercise the care that a reasonable person would exercise
under the circumstances. Massey v. Mercy Med. Ctr. Redding (2009) 180 Cal. App. 4th 690,
694. Defendant UC contends that ?Plaintiff must provide evidence that UC did not exercise
the degree of care ordinarily exercised by medical centers under similar circumstances.
Flowers v. Torrance Mem ?1 Hosp. Med. Ctr. (1994) 8 Cal. 4th 992, 998.? (MSJ, 9:16?18) This
premise is contradicted by well established California law.

?There are no ?degrees of care? as a matter of law, there are only different amounts of

care, as a matter of fac Flowers, 8 Cal. 4th at 997. Accordingly, the standard of care will

 

 

9? As this Court found, ?Plaintiff has alleged that UC did engage in af?rmative conduct that

esulted in the negligent maintenance and storage of Plaintiff private medical information and

he unauthorized viewing of such information. Speci?cally, Plaintiff alleges that UC ?created
continuously maintains an electronic medical record storage system under which the entire
edical records of millions of UCLA patients are made accessible, and in fact,- released to
yone with an access UC maintained this system after being placed on notice of

ecurity ?aws after ?multiple breaches from unauthorized snooping since 2005.? Id.
9
l' OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 

42.0010



always be that of ?ordinary prudence.? Whether or not Defendant exercised the amount of care
deemed reasonable in a particular case will vary, but the duty of acting with due care
commensurate with the risk posed by the condact at issue, taking into consideration all relevant
circumstances, remains constant. Id.

The breach of duty to Plaintiff Lozano does not involve professional negligence,
because Defendant actions at issue were not taken by physicians in the rendering of
professional services. See, Poazbaris v. Prime Healrhcare Services-Anaheim, LLP (2015) 236
Cal. App. 4th 116, 125. However, regardless whether one is a professional, the law demands
the exercise of ordinary care, and the specialized education and training of professionals are
only considered circumstances relevant to an overall assessment of what constitutes ordinary
prudence in a particular situation. Flowers, 8 Cal. 4th at 997. Therefore, expert testimony will
be provided to the trier of fact to assess the amount of care and skill expected of a reasonably
competent conserver of electronic health records in the same class to which that conserver
belongs, acting in the same or similar circumstances, unless the conduct required by the
particular circumstances is within the common knowledge of the layperson. See id. at 1001.
Here, there are at least two experts with differing opinions regarding whether UC appropriately
maintained its EHR system amidst the technological capabilities available, which will aid and
inform the jury in determining whether conduct met the legal standard of due care.

C. Similar EHR System Procednres By Medical Centers Does Not Preclnde a

Finding of Negligence.

The Court must reject Defendant claim that no triable issue exists as to whether
the UC was negligent, simply because its practices were consistent with those comparable
medical centers. It is well settled law that ?[c]ompliance with regulations, directives or trade
custom does not necessarily eliminate negligence but instead simply constitutes evidence for
jury consideration with other facts and circumstances.? Hernandez v. Badger Coast. Equip.
C0 (1994) 28 Cal. App. 4th 1791, 1830-31 (emphasis added). See also Holt v. Dep ?r of Food 
Agric. (1985) 171 Cal. App. 3d 427, 435?36 (?Evidence of the custom or general practice in the
same trade or occupation is relevant but not conclusive on the question whether the actor

1 
OPPOSZTION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 

Jabutilized due Conformity with the general practice or custom will not excuse conduct
which is not consistent with due The care to be exercised must be in proportion to the
danger to be avoided and the consequences which might follow.? (citation omitted?; SChance
v. H. 0. Adams Tile Co. (1955) 131 Cal. App. 2d 549, 552 (?Adherence to may be
considered as a factor in the determination of But proof of such adherence, though
undisputed, does not as a matter of law void the charge of negligence?)

In Keogh v. San Francisco Unified School District (1953) 119 Cal. App. 2d 65, 68-70, a
chemistry teacher stored potassium chlorate on an cpen shelf, accessible to students. A student
mixed the potassium chlorate and with other chemicals without the teacher?s permission, while
her back was turned, which led to a combustion that injured the student. The Court of Appeal
rejected the school district?s argument that the teacher?s practices were not negligent as a
matter of law because other high schools also had a practice of maintaining dangerous
chemicals on open accessible shelves. The Court of Appeal ruled that it was reversible error
for the trial court to instruct the jury that the standard of care in supervision was measured by
the degree of supervision ordinarily furnished by other similar schools. Id. at 73-74. As the
court explained, ?[e]vidence of custom in the same trade or occupation is admissible for the
consideration of the jury but it is not conclusive on the question of What constitutes
ordinary care. Conformity to ?the general practice or custom would not excuse the defendant's
failure unless it was consistent with due care.? Id. at 70-71 (emph. added; citations omitted).

Similarly, in the California Supreme Court case of Leonard v. Walsonville Community
Hospital (1956) 47 Cal.2d 509, 512, a doctor left a clamp in the plaintiff?s abdomen. The
hospital, in an attempt ?to avoid liability on the theory that they were required to exercise only
that degree of skill employed by other hospitals and nurses in the community?, pointed to the
hospital superintendent?s testimony that there was no established practice of instrument
counting after surgery. 1d. at 514-519. The Court rejected this argument, holding that
?Although under such circumstances proof of practice or custom is some evidence of what
should be done and may assist in the determination of what constitutes due care, it does not
conclusively establish the standard of [G]enera1 negligence cannot be excused on the

1 1
OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 





ground that others in the same locality practice the same kind of negligence.? Id. at 519.

Like defendants in Reagh and Leonard, Defendant UC cites exhaustively to the
declarations of Dr. Michael Pfeffer and John Christiansen in an attempt to prove that its EHR
storage and maintenance practices conform to the practices of similar hOSpitals and medical
centers, as to role-based access controls, user authentication, training, and policies. (MSJ,
10:12-44; 11:12?20; 1 1223-1219) However, just like the teacher who stored potassium chlorate
on a shelf accessible to students or the surgeon who failed to account for the clamps used in
surgery, the storage of con?dential patient medical records must be judged by
reasonableness, not merely purported conformity with industry custom and practice. The UC
cites no cases which hold otherwise. At best, the conformity to industry policies and
practices (and its explanations for choosing access over patient privacy) is evidence for
consideration by the jury, along with other facts and circumstances.

As the expert opinions of Adrian Gropper, MD. indicate, reasonable security features
were available, such as the use of physical tokens as a companion to password use, monitoring,
and automated electronic notices sent to patients, which if implemented by the UC would have
rendered the EHR system reasonable. (DF 142) This case is not just about whether the UC had
the power to prevent peeple from needlessly and illegally accessing the records of non-patients.
This case encompasses the question of whether the UC was unreasonable in the management of
its EHR system, and whether due care required that it implement meaningful alternative
security practices to protect patient medical record privacy.

D. ?efendaut UC Was the Legal Cause of Plaintiff?s Damages.

Negligent storage of patient records in an open access system with singular password
protection was a proximate cause of the breach of Plaintiff Lozano?s records. UC claims that
liability for its negligence can be short-circuited because (1) public policy justi?es treating
even foreseeable additional intervening causes of Plaintiff?s injuries as superseding cases
(which relieve the original actor of liability); or, (2) Dr. Edwards? sharing of his password with
staff, and their use of his password, was a superseding cause which broke the chain of
causation between conduct and Plaintiffs injuries. Both of these arguments must fail.

. ?l 2
OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 



Defendant Bat Cannot, Prove Thar Any Additional Intervening
Canse ofPlaintg?fj?s Injuries Was Not Foreseeable.

Defendant UC contends that even foreseeable, additional intervening acts can be
superseding causes for reasons of public policy (MSJ, However, California
courts do not follow this principle. As stated by the court in Wise v. Thri?v Payless, Inc.
(2000) Cal. App. 4th 1296, 1305 n.3, ?California courts have rejected the blanket role that an
intervening criminal or tortious act is by its very nature a superseding instead adepting
the View that [i]f the realizable likelihood that a third person may act in a particular manner is
the hazard or one of the hazards which makes [the] actor negligent, such an act whether
innocent, negligent, intentionally tortious or criminal does not prevent the actor from being



liable for harm caused thereby. (citations omitted)
Indeed, UC cites only one case in support of this principle: Cline v. Watkins (1977) 66
Cal. App. 3d 174. The Court of Appeal?s ruling in Cline should guide this Court. Cline
involves negligence by two attorneys. The first attorney, who had only ?led a complaint,
persuaded the trial court that liability for his negligence should be completely out off due to
negligence of the client's subsequent attorney, who assumed full and exclusive control over the
client's case. Id. at 176?7 7. The Court of Appeal reversed the trial court, ruling that as a matter
of law that it could not be found that the foreseeable intervening negligence of the subsequent
attorney, who gained exclusive control over the client's litigation right after the
complaint was ?led, was necessarily a superseding cause to completely insulate the initial
attorney from liability for his prior negligence. Id. at 179480. The Court reasoned that
?lawyers are not entitled to special treatment in the form of special relief from the
consequences of their negligence that is not afforded other [just as] a negligent
physician is not relieved of the consequences of his lack of care because a subsequently treating
physician could have avoided the injury had he not also been [even though both the
new lawyer and new physician] assume full responsibility and have full control. Id. (citations
omitted). The Court therefore concluded that the ?issue of the proximate causation of damage
?owing from [the initial attorney's] negligence is thus one of foreseeability to be determined by

1 3
OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 

economan

the trier of fact and not on demurrer.? .1611.

Defendant UC is not entitled to special protection from its own negligence simply
because Dr. Edwards was also negligent. Dr. Edwards? negligence was only made possible by
the porous nature of password security measures. In arguing that Dr. Edwards is an
intervening cause, Defendant UC invites this Court make the same reversible error as was
made in Cline.

Tellingly, Defendant fails to cite a single case in which a California court applied this
principle? Instead, California courts routinely determine that the issue of whether an
intervening cause is a snperseding cause hinges entirely on whether the intervening cause was
foreseeable. See Wise, supra; Brewer v. Teano (1995) 40 Cal. App. 4th 1024, 1032; Atkins v.
County ofSonoma (1967) 67 Cal. 2d 185, 199; Merrill v. Navegar, Inc. (1999) 75 Cal. App.
4th 500, 169 (superseded on other grounds).

Even if Defendant UC were correct that policy considerations could override well
established precedent, there are no overriding policy considerations at issue here. Plaintiff?s
claims against the UC do not foreclose the ability of the UC to use an EHR system, but rather
concern the lack of prudent maintenance of the system maintained by the UC.

2. Defendant Cannot Conclusiver Show TherAny Interventng Cause of
Injuries Was Not Foreseenble.
i. Foreseeabilitv is a Broad Standard.

An independent intervening act is not foreseeable, and thus not a superseding cause of
the injury, if the intervening act is ?highly unusual or extraordinary, not reasonably likely to
happen.? Schrimsher v. Bryson (1976) 58 Cal. App. 3d 660, 664. A court?s role in making this
evaluation is not to decide ?whether a particular plaintiff? injury was reasonably foreseeable

in light of a particular defendant?s conduct, but rather to evaluate more generally whether the

 

 

Defendant misleadingly cites the Restatement (Second) of Torts 448 (1965). The passage
fter the period inserted by Defendant states that an intentional tort or crime is a superseding
anse of harm ?unless the actor at the time of his negligent conduct realized or should have
ealized the likelihood that such a situation might be created, and that a third person might avail

imself of the opportunity to commit such a tort or crime.? (emphasis added) MSJ, 13 1 5-18.
14

TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 



a,ww

category of negligent conduct at issue is suf?ciently likely to result in the kind of harm that
liability may appropriately be imposed on the negligent party.? Brewer, 40 Cal. App. 4th at
1030. In other words, a court?s view of foreseeability encompasses ?the general character of
the event or not its preeise nature or manner of occurrence.? Collins 12. Navistar,
Inc. (2013) 214 Cal. App. 4th 1486, 1502 (emphasis added). Foreseeability is not ?measured
by what is more probable than not, but includes whatever is likely enough in the setting of
modern life that a reasonably thoughtful [person] would take account of it in guiding practical
conduct.? One may be held accountable for creating even ?the risk of a slight possibility of
injury if a reasonably prudent [person] would not do so?? Id. (citations omitted). Moreover,
?[t]he foreseeability required is of the risk of harm, not of the particular intervening act. In
other words, the defendant may be liable if his conduct was ?a substantial factor? in bringing
about the harm, though he neither foresaw nor should have foreseen the extent of the harm or
the manner in which it occurred.? Id. at 1503 (emphasis added in bold).

For example, in Chanda v. Federal Home Loans Corp. (2013) 215 Cal. App. 4th 746,
mortgage lenders brought an action against a mortgage broker for negligence and breach of
?duciary duty, after discovering that they had ?nanced a loan obtained through fraud and
forgery. Plaintiff homeowner, upon discovery of the fraud and forgery, sued Federal Home
Loans Corporation the mortgage broker. FHLC argued that the act of the notary
was an intervening superseding cause. The Court of Appeals held, the extent FHLC
argues it was unforeseeable that a notary would commit forgery, we agree with [plaintiff] that
FHLC is viewing the facts too narrowly. The general character of the event, the submission of
forged loan documents was highly foreseeable. The fact a notary committed the forgery, a
notary's cohort committed the forgery, or a notary negligently authenticated a forged signature,
are details that do not change the general character of the event--the submission of forged loan
documents. Finally, the result of that event, the [plaintiffs] loss of their investment, was also
highly foreseeable.? Id. at 756-57 (citations omitted, emphasis added).

ii. UC Could Foresee Additional lntervening Causes of Plaintiffs Injuries.

Like Chanda, unauthorized password use and medical file access was highly

15

 

 

OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 




mummawN?tawmummomNJ?to

foreseeable. narrow focus on the manner in which Ms. Price gained unauthorized access
to Plaintiffs medical records (by way of password sharing by Dr. Edwards) is misplaced. UC
had the ability to meaningfully limit or discourage this unauthorized access, by requiring use of
both a password and a token, or notifying users that access by a nonupre-authorized physician
would be flagged, or by notifying patients if non~authorized parties access their EHR.

Rather than impose security measures such as these, the UCLA EHR ?open access?
system allowed physicians and even sin)?? to access non-patient records, without detection,
thereby creating the risk of release of Plaintiff 3 records. The risk of harm from unauthorized
password access (sharing) is inherent to the ?open. access? system.

Thus, the loss of Plaintiffs privacy was highly foreseeable. A reasonably thoughtful
person in position would have considered the risk of harm from the general character of
unauthorized physician password use in guiding its maintenance of its EHR system.

It is disingenuous for the UC to claim that it could not have anticipated the nature or
manner of the password misuse, or the extent of the harm it caused. The very existence of the
?break the glass? feature con?rms UC understands the need to protect at least a small segment
of the over four million patients with records maintained in its system. Any intervening cause
of Plaintiffs iaj cries was foreseeable by the UC for a number of other reasons.

First, UC clearly contemplated risk arising from unauthorized password use, as UC
explains at length when arguing that UC exercised reasonable care in creating and securing its
EHR system. For. example, UC policies and training of physicians include a speci?c directive
that password sharing with unauthorized co-workers is forbidden. (MSJ, 9:25~lO:l) UC
reqaired Dr. Edwards to certify that he would not share his password. (MSJ, 10:2-4) UC sent
email reminders to physicians instructing them to ?treat [their] password like [their]
share it with others.? (MSJ, 4:17?22) UC also maintained access logs for
investigation purposes, in anticipation of possible password misuse, so that UCLA could
review the logs upon receiving notice of password misuse. (MSJ, 4:240?)

Second, Defendant?s own expert admits that unauthorized use of a UCLA physician?s
password by his staff, as occarred in this case, was a foreseeable event. ?[A]ny information

16

 

 

TO DEFENDANT MOTZON FOR SUMMARY JUDGMENT

 

\Oooe-JQLR-ibsystem is most vulnerable to authorized user errors and mistakes, and to users motivated by bad
faith or malice.? (DF 118, emphasis added]) ?[U]sers in general are the ones who have the
ability to misuse their Everybody worries about Unknown third
have a much lower probability of success than insiders who have the ability to know
things that outsiders can?t know.? (DF 118)

Defendant?s expert Mr. Christiansen essentially con?rms that password sharing or theft
by ?authorized? physicians and staff constitutes the most foreseeable privacy risk to EHR
systems. Plaintiff? 8 expert Dr. Gropper agrees that password sharing by physicians with their
medical staff is extremely foreseeable. In fact, unauthorized password sharing by assistants to
nou-employee physicians is even more expected, because UCLA does not train these assistants
and is powerless to discipline them. Password sharing is at the heart of the breach which
prompted Plaintiff Lozano?s complaint. (DP 143)

Third, UC had been aware of the risk posed by unauthorized access and snooping by
employees of UCLA physicians, years before Ms. Lozano?s records were breached. UCLA
received at least 15 privacy complaints regarding password sharing between May 2010 and
2013, 90?100% of which resulted in discipline by UCLA. Further, as the court in Regent's
recognized, the Department of Public Health reported that:

more than 120 workers at the UCLA Medical Center looked at celebrities?
medical records and other personal information without permission between
January 2004 and June 2008, and that three continued to look at one particular
celebrity's records even after a crackdown on the unauthorized access began in
April including one individual who breached 939 times, and the medical
information of more than 6,000 patients at San Francisco] Medical Center
was posted on the interact for more than three months.? Regents ofthe Univ. of
Cal., 220 Cal. App. 4th at 569.
Such prior notice is evidence of foreseeability. See Kwait'kowski v. Superior Trading Co.
(1981) 123 Cal. App. 3d 324, 328 (?The [landlords] had prior notice of a tenant who was
assaulted and robbed two months before Ms. Kwaitkowski was assaulted, robbed and 
They also had notice that with the defective door, strangers had easy access to the 
Under these circumstances, the danger to Ms. Kwaitkowski?s personal safety was foreseeable?)

Defendant UC attempts to analogize the risk of unauthorized password use at UCLA

with the sale of an open gasoline can, or a second intoxicated motorist colliding with the ?rst

1 7
OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 



motorist?s vehicle which was parked completely off the freeway and injuring a patrol officer.
MSJ, 14:21-15:12. These strained arguments must fail.

The court?s decision in the intoxicated motorist case, Schrimscher, 58 Cal. App. 3d at
660, turned on specific public policy grounds that do not exist here. As the Court of Appeal
subsequently held in Jackson v. Ryder Truck Rental, Schrimseher stands for ?a narrow
policy~based exception to standard roles of tort declaring tort questions off-limits as
to the job duties of public safety these grounds do not extend to the activities of
private entities such as Ryder.? Jackson v. Ryder Truck Rental, Inc. (1993) 16 Cal. App. 4th
1830, 1852 (Held: whether the act of an automobile driver who struck a truckdriver whose
truck was stopped on the side of road due to an electrical problem was a snperseding cause to a
contractor?s negligent maintenance of the truck?s electrical system deemed a question of fact
for the jury). Neither does this narrow exception apply to Defendant UC, as no police or
?refighters are involved here.

Regarding the sale of an open gasoline can in Gonzalez 12. Derrington (1961) 56 Cal. 2d
130, Defendant analysis begins and ends with one sentence: ?Gasoline is ?aminable and
medical records are sensitive, but that does not make the intentional misconduct by either the
arsonist or Price foreseeable.? (MSJ, 15:11?12) The differences, however, are obvious. The
expectation that a reasonably prudent medical center would foresee the general risk of
unauthorized viewing and disclosure of a patient?s medical information is far less attenuated
than the expectation that a store owner foresee the risk that selling an open, larger than usual.
can of gasoline, a product sold. on every other street corner, would be responsible for the
destruction of a bar by an arsonist. In Gonzalez, the court found that there is ?nothing about
purchasing gasoline in an open five-gallon can that makes it more likely that it will be used
intentionally to injure others than that purchased in a closed two~gallon can.? Id. at 133.
Conversely, inherent to the maintenance of an EHR system is protection of private records
from unauthorized access. Indeed, the mere release of medical information is precisely the
harm that HIPAA and the CMIA seek to prevent, unlike the gasoline container ordinance in
Gonzalez, which was not designed to prevent use by an arsonist. Id.

'18

 

 

OPPOSITION TO DEFENEJANT MOTION FOR SUMMARY JUDGMENT

 

(hub-Lastly, foreseeability is ordinarily a question of fact for the jury, unless the undisputed
facts leave no room for a reasonable difference of opinion. Bigbee v. Pacific Tel. Tel. Co.
(1983) 34 Cal. 3d 49, 56. However, this case provides ample evidence that unauthorized
password sharing and use was foreseeable, based on acknowledged history of
unauthorized password use, the admission by own expert, and the training of physicians.
V. Defendant Conduct Invadcd Piaintiff?s Right to Privacy.

A. Defendant Constituted More Than an Impact

on Plaintiff?s Privacy interests.

In order to prevail on summary judgment regarding Plaintiffs invasion of privacy
claim, Defendant UC must show that no question of fact exists regarding whether the 
invasion of Plaintiff?s privacy was ?suf?ciently serious? in its ?nature, scope, and actual or
potential impact.? Hill Nat?l Collegiate Athletic Ass ?14 (1994) 7 Cal. 4th 1, 37.

This Court has already addressed the arguments and authority used by Defendant on
this point in its ruling on Demurrer to Plaintiff?s First Amended Complaint. As this
Court recognized, the ?Hill case and its progeny require the Court to consider both the impact
of the release of medical information, and the nature of the conduct itself There is no question
that the release of medical information has a serious and substantial impact on a patient?s
privacy rights? Ex. 8, at 4. After citing to Ruiz v. Gap, Inc. (N .D. Cal. 2008) 540 F. Supp. 2d
1121, this Court dismissed Defendant?s argument that only overt, deliberate disclosures of
private information warrant constitutional privacy violations. This court acknowledged
Plaintiff?s allegations that UC ?made the breach of con?dentiality possible? and ?permitted a
physician and his staff to access records of UCLA patients that had no relationship with the
physician.? Accordingly, this Court ruled that, given the ?.?impact of that policy, Plaintiff has
pled suf?cient facts from which a trier of fact might determine that the allegations constitute an
egregious breach which support an invasion of privacy claim against the Regents.?

At the summary judgment stage, Defendant UC can point to no undisputed material
facts which either contradict the allegations in Plaintiff?s pleadings on these points, or which
require the Court to change its position. The Court?s prior ruling is equally applicable now.

9
PLAIN OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 

?anagram?tauntthe California Supreme Court announced in Hill, and most recently in County ofLos
Angeles v. Los Angeles County Employee Relations Com. (2013) 56 Cal. 4th 905, 927, ?Legally
recognized privacy interests include interests in precluding the dissemination or misuse of
sensitive and con?dential information.? The dissemination of medical information is
especially egregious, because a ?person's medical profile is an area of privacy in?nitely more
intimate, more personal in quality and nature than many areas already judicially recognized
and protected.? Bd. of Med. Quality Assurance v. Gherardini (1979) 93 Cal. App. 3d 669, 678?
679 (emphasis added). As such, patients have a reasonable expectation that such personal
matters will remain with the physician and the physician only. See id. at 679 (?The matters
disclosed to the physician arise in most sensitive are often dif?cult to reveal even to the doctor.
Their unauthorized disclosure can provoke more than just simple humiliation in a fragile
personality?); In re Estate ofFlint (1893) 100 Cal. 391, 397 (encouraging patients to disclose
matters with their physicians ?with the knowledge that the law recognizes the communications
as con?dential, and guards against the possibility of his feelings being shocked or his
reputation tarnished by their subsequent disclosure?).

?open access? health records system provided full access to all patient files to all
physicians, free of any layers of security or abuse detection, just as Plaintiff alleged in her
pleadings. (See DF 144) reliance on a physician ?honor code?, without implementing
mechanisms to detect or prevent unauthorized password, invited the abuse that resulted in
release of information from Plaintiffs EHR to third parties. (See DF 144)

Information about communicable diseases is ?extremely sensitive? in nature and such
disclosure is serious in nature, scope, and potential impact. See Los Angeles Gay and Lesbian.
Center v. Superior Court(2011) 194 Cal. App. 4th 288, 308. Additionally, courts recognize
that even one person?s unauthorized viewing of a patient?s records is a suf?cient disclosure to
constitute a serious privacy invasion. See Hill, 7 Cal. 4th at 27 (?Particularly when professional
or ?duciary relationships premised on con?dentiality are at the state constitutional right
to privacy may be invaded by a less?than~public dissemination of information?).

Not surprisingly, the California Court of Appeal has found unauthorized release of

20
OPPOSITION TO DEFENDANT MOTION FOR SUMMARY JUDGMENT

 








 

medical records under the CMIA to be an egregious breach of social norms. In Pert'us v. Cole
(1996) Cal. App. 4th 402, 445, a breach of privacy was found suf?ciently serious when the
plaintiffs exam details were released to his employer, which led to his termination.
The breach of Plaintiff Lozano?s privacy was far more serious than in Perms. In Pettus, the
plaintiff voluntarily saw physicians and allowed them to disclose portions of his evaluations to
his employer. Id. Here, Plaintiff Lozano gave no consent to the viewing of her private medical
records by Dr. Edwards, who was never Plaintiff? physician, nor his staff. Further, the
medical records released by UC included Plaintiff gynecological lab records and disclosures
about a communicable disease. This was an egregious breach of privacy.

Defendant?s reliance on Ruiz v. Gap, 540 F. Supp. 2d at 1127~28 is misplaced. (MSJ,
16:7-19) As this Court previously acknowledged, Ruiz does not stand for the broad proposition
that UC seeks to draw. Determining whether offensiveness has been met as a matter of law
requires examination of all surrounding circumstances. See Hernandez v. Hillsides, Inc. (2009)
47 Cal. 4th 272, 295. Further, this case is more analogous to Pettus than Ruiz. ln Ruiz, the
plaintiff?s social security number was contained in a laptop stolen from his employer. The Ruiz
court found that mere release of a social security number did not constitute a serious or
egregious breach of societal norms. Ruiz, 540 F. Supp. 2d at l124?25. In contrast, unlike a
social security number, which is routinely provided in commerce, Plaintiff was subject to
release of deeply intimate medical information, as discussed in detail above.

B. The General Public interest in Electronic Medical Records is Not at Issue.

The UC attempts to argue that public policy interests favoring electronic medical
records outweighs any invasion of privacy, an argument that misses the point. This case is not
an attack on the efficacy of utilizing EHR systems generally, but rather, a spotlight of the
failure of UCLA to implement reasonable and adequate controls as part of its EHR system.
There are reasonable mechanisms for protecting electronic medical records from beach, which
the UC failed to implement. (DF 142) It is a question of fact for the jury to determine whether
the failure was unreasonable and therefore negligent.

C. Was a Legal Cause of Plaintiff?s Damages.

2t
TO DEFENDANT MOTION FOR SUMMARY HIDGMENT

 






 

As discussed above, arguments that any intervening causes of Plaintiff?s damages
were superseding causes, thereby cutting off damages as a matter of 'law, must fail.
Vi. Conclusion.
For the foregoing reasons, Defendant Motion for Smnmary Judgment should be
denied in its entirety.
ALEXANDER

Dated: June 24, 2015 KOW GLICK LLP

By:

 

J. BERNARD ALEXANDER, a.
BRETT C. BEELER

Attorneys for Plaiotiff

NORMA LOZANO

22
OPPOSZTION TO MOTION FOR SUMMARY JUDGMENT

 

PROOF OF SERVICE

I am over the age of 18 years, not a party to this action, and am employed
in the County of Los Angeles, State of California. My business address is ALEXANDER
KRAKOW GLICK LLP, 401 Wilshire Blvd., Suite 1000, Santa Monica, CA 90401.

On, June 24, 2015, following the ordinary business practices of
ALEXANDER KRAKOW GLICK LLP as set forth below, I served a true and correct
copy of the foregoing document described as MEMORANDUM OF
POINTS AND AUTHORITIES IN OPPOSITION TO THE REGENTS OF THE
UNIVERSETY OF MOTION FOR SUMMARY JUDGMENT in a sealed
envelope, with postage fully prepaid, addressed as follows:

SERVICE 

(X) BY MAIL. I am readily familiar with ALEXANDER KRAKOW GLICK 
practice for collection and processing of correspondence for mailing with the US.
Postal Service. Under that practice, in the ordinary course of business,
correspondence would be deposited with the US. Postal Service on the same
day with postage folly prepaid at ALEXANDER KRAKOW GLICK LLP, 401
Wilshire Blvd, Suite 1000, Santa Monica, CA 90401. The above envelope was
placed for collection and mailing on the above date following ALEXANDER
KRAKOW ordinary business practice. I am aware that on motion of
the party served, service is presumed invalid if the postal cancellation date or
postage meter date is more than one day after date of deposition for mailing.

BY MAIL. deposited such enveIOpe in the mail at 401 Wilshire Blvd, Suite
1000, Santa Monica, CA 90401.

VIA FACSIMILE. I sent said documents (Reply Brief only) via facsimile.

VIA EMAIL. I sent said document(s) (Reply Brief and Declaration) via electronic
mail to the addressee.

VIA FEDEX. I delivered said documents via overnight delivery.

BY PERSONAL SERVICE. I caused delivery of said envelope by hand to the
offices of the addressee(s).

 

(X) (STATE) I declare under penalty of perjury ander the laws of the State of
California that the foregoing is true and correct. -

(FEDERAL) I declare that I am employed in the office of a member of the bar of
this Court at whose direction the service was made.

5. 
Michael P. Vazquez

 

Dated: June 24, 2015

 





 

SERVICE LIST

COUNSEL FOR DEFENDANTS: REGENTS OF THE UNIVERSITY OF CALIFORNIA

Bradley 8. Phillips, Esq.

MUNGER, TOLLES OLSON LLP
355 South Grand Avenue
Thirty?Fifth Floor 1111 Franklin Street

Los Angeles, California 9007141580 Oakland, California 94807
T: 213 883 9100 T: 510 987 9800

F: 213 887 3702 F: 510 987 9757

E: brad.phillips@mto.corn

Charles F. Robinson, Esq.
Office of the General Counsel
University of California

Bryan H. Heekenlively, Esq.
MUNGER, TOLLES 8 OLSON LLP
580 Mission Street

Twenty-Seventh Floor

San Francisco, California 94105?2907
T: 415 512 4000

F: 415 512 4077

E: bryan.heokenlively@mto.com

COUNSEL FOR DEFENDANT: JOHN D. EDWARDS, M. D.
Don Fesler, Esq.

John D. Schumacher, Esq.

LA FOLLETTE, JOHNSON, DE HAAS, FESLER AMES
885 South Figueroa Street, 32nd Floor

Los Angeles, California 90017~5431

T: 213 428 3800

F: 213 428 3850

E: jschumacher@Ljdfa.com

SERV ICE