University of California San Diego officials stonewalled attempts to notify women in an HIV research study that their confidential data was breached more than seven months ago, an inewsource investigation has found.
UCSD researchers conducting the EmPower Women study told university officials in October that participants’ names, audio-taped conversations and other sensitive materials were made accessible to everyone working at Christie’s Place, a San Diego nonprofit supporting women with HIV and AIDS. They called the situation “very serious” and said the women affected are “within one of the most vulnerable and marginalized populations.”
Their medical history, blood, organs, DNA or participation in drug trials can help improve the diagnosis and treatment of diseases, or develop new technologies to help people live longer, healthier lives.
The researchers are expected to follow ethical guidelines meant to protect their patients.
But internal emails, reports and meeting minutes chronicle months of communication between lead researcher Jamila Stockman — who pushed for telling two dozen women enrolled in the project about the breach — and UCSD officials concerned about the consequences.
UCSD partnered with Christie’s Place to recruit subjects into a study that would examine how their experiences with domestic violence, trauma, mental illness and substance abuse affected their commitment to HIV treatment. The women’s information was supposed to be kept confidential and accessible only by authorized research staff.
According to university records, the breach occurred when Christie’s Place managers intentionally stored all study information in a database it uses to track patients receiving clinical care, which can be accessed by anyone at the nonprofit, allegedly to “inflate” their patient numbers and bill San Diego County for more services. Christie’s Place denied that allegation.
In a statement, UCSD told inewsource it is working on contacting the research subjects, a process it said will begin in about one to three weeks. It blamed the delays primarily on one administrator who was put on leave.
UCSD is asking participants of the EmPower Women study seeking additional information to call the UCSD Privacy Office at 877-476-8273.
inewsource spoke with five experts in research ethics and data privacy for this story, who all agreed it has taken UCSD far too long to notify the women affected. One expert said “being transparent” is the first step in these situations; another that he was “very concerned” by the seven-month delay; and a third that the university’s response “seems to violate the respect” for the research subjects.
“That’s just an unacceptable delay,” said Michael Carome, a former associate director at the U.S. Office for Human Research Protections.
That office has oversight of many research studies – but not this one. The EmPower Women project was funded entirely by the University of California system, meaning the federal agency couldn’t monitor or enforce how UCSD responded to the breach.
“Most people want to maintain control over their private medical information, and a breach of that information can be emotionally stressful,” Carome said. “It can be psychologically stressful, it could potentially be damaging to personal relationships, perhaps employment, perhaps insurability. So these types of breaches are very serious problems.”
How the breach began
In 2016, Stockman began a study of HIV-positive women in San Diego County who were not receiving treatment. The goal was to help them improve their health.
Stockman, who is 42, has been performing studies like this for 15 years. She is an associate professor at UCSD and Vice Chief of Global Public Health, researching HIV, domestic violence and substance abuse in vulnerable populations across the U.S., Latin America and the Caribbean.
Stockman has received more than $4.6 million in grants from the National Institutes of Health. She also won the prestigious New Investigator Award from the Centers for Disease Control and Prevention Foundation for domestic violence research and an award from the World Bank Group to study HIV-positive women in Brazil.
Stockman planned to enroll 100 participants in the EmPower Women study. Half would receive frequent counseling and support sessions, and half would have the option to use standard services available at Christie’s Place, which has serviced families affected by HIV and AIDS since 1996. Researchers would measure if the women in the two groups had different health outcomes.
Twenty-four women had been enrolled in the EmPower Women study when Stockman’s team first reported a data breach to the university in October.
A mental health professional at Christie’s Place had told researchers that all EmPower Women study files were being kept on a computer drive meant to store data about patients receiving clinical care, not data about study participants.
As a result, the research subjects’ personal information — which was supposed to be password-protected and accessible only to authorized researchers — could be viewed by all Christie’s Place staff, interns and volunteers. That includes participants’ full names, study ID numbers, appointment dates, survey responses, whether they were in the experimental or control group, session attendance records and audio files from focus groups conducted in English and Spanish.
The researchers were told that the files had been placed on the wrong computer drive intentionally, because Christie’s Place allegedly wanted to “inflate” the number of people it supports with clinical care and bill San Diego County for those services, meeting minutes say.
Kathleen Grove, the president of the Christie’s Place Board of Directors, sent inewsource a statement that said the nonprofit investigated that allegation and determined “that Christie’s Place did not misuse client data, did not breach client data to inflate patient numbers, did not misrepresent the services we provided, and did not improperly bill the County of San Diego.”
Stockman decided to suspend the EmPower Women study in October after unsuccessful attempts to resolve the breach.
The university filed a written grievance about the incident with the Christie’s Place Board of Directors, which then conducted an internal investigation. Christie’s Place Executive Director Erin Falvey and Clinical Manager Dawn Marie Tol resigned on Oct. 15.
Falvey and Tol did not respond to interview requests for this story.
More than two-thirds of Christie’s Place’s annual budget comes through San Diego County’s Public Health Services Department, which gives out money from federal and state agencies to local groups supporting public health causes like HIV treatment.
The county was not aware of the breach or the allegations about Christie’s Place’s billing practices until contacted by inewsource last Thursday. County spokesperson Michael Workman said the county would “look into the issue and take all appropriate measures on our end.”
Data breaches are common in research studies and health care. There are more than 450 breaches currently under investigation nationwide by the U.S. Department of Health and Human Services for exposing personal health information, including at least 23 breaches at universities.
UCSD is ranked among the top research institutions in the country. It secured $1.2 billion in sponsored research support in 2018, with $686 million going toward UC Health Sciences. Its scientists have made breakthroughs in diabetes research, understanding cancer genes, identifying early signs of autism and treating Alzheimer’s disease.
Even with extensive training and high-tech encryption, there is little UCSD could have done to prevent this breach if it was caused intentionally by someone with access to the research files.
“These data breaches happen for various reasons and will continue to happen,” said Anand Sarwate, an assistant professor in computer engineering at Rutgers University. “What institutions need to have is a clear set of guidelines” on what to do when a breach occurs.
“A lot of the time, we set up these rules to prevent a problem, but then we don’t have any way of cleaning up a problem,” Sarwate said. “Once the problem has happened, people kind of scramble around.”
‘Authority and expertise’
UCSD researchers worked through front and back channels in their search for solutions.
The front channel involved UCSD’s institutional review boards, which meet once a month to review and approve research studies. Under university policy, researchers have to inform their review board when data breaches occur, and the board can then tell the researchers how to address the problem. The board could require the research team to amend the study plan, temporarily stop enrollment or shut down the project entirely.
When the EmPower Women researchers reported the breach, the review board told them to draft a letter to participants notifying them of what happened.
But that notification was repeatedly delayed.
When EmPower Women program manager Kristin Gundersen, a UCSD employee, contacted the review board for guidance, she was told to go through a back channel: UCSD administrators and lawyers.
Gundersen sent an email on Oct. 17 asking if the researchers should try to document the details of the breach.
Kip Kantelo, Director of the UCSD Human Research Protections Program, told Gundersen the situation was beyond the review board’s “authority and expertise.” Officials from UCSD Health Compliance Advisory Services and university attorneys “should have input” moving forward, he said in the email.
Kantelo is the administrator who oversees all of the university’s human research review boards.
“As you point out, taking any additional steps to document and/or remove the data could compound legal issues,” he wrote.
That same week, the review board sent its first official response to the researchers about how to address the breach. The board told Stockman and her team to prepare a letter to “currently enrolled participants and families summarizing the issue” and send it to the board for approval.
The letter was supposed to describe the “reason for suspending study,” a plan to identify a new community partner to work with, “the status of participant involvement” and “the status of participant’s data, particularly those whose data ended up in Christie’s Place records,” according to board meeting minutes.
Carome, the former research protections associate director, said the review board’s initial response was reasonable and “seems to have recognized appropriately the severity of what happened.”
“But the problem appears to be the failure to follow through on what was I think an appropriate plan,” he said.
As the researchers tried to draft the letter, they did as Kantelo suggested: They met with administrators in the campus compliance office, the privacy office and with university lawyers.
The advice they received was different from the review board’s.
The board told researchers there would be a thorough investigation of the breach, but Daniel Weissburg, chief compliance and privacy officer for Health Compliance Advisory Services at UCSD, said the university did not have jurisdiction to conduct an audit or investigate the research files kept at Christie’s Place. The security of the data could not be guaranteed.
Weissburg is no longer employed at UCSD. The university would not say if he was the individual placed on leave because of the breach.
“My goal has been to give women a voice in scientific research and the development of programs and services,” Stockman told inewsource in a statement. “It is my utmost priority to protect the privacy and confidentiality of research participants and I have and continue to do everything in my power to ensure this is upheld.”
‘A holding pattern’
The researchers discussed their growing concerns in a meeting with Kantelo on Dec. 12.
Kantelo told them he would contact attorneys in the University of California Office of the President, based in Oakland, for advice. Any plan to notify the participants of the breach would be forwarded to attorneys “to confirm that language used will not create additional legal risk,” Kantelo wrote in an email after the meeting.
“We all agreed that given the landmines involved, all other actions, including any notifications to the county” or “other possibly affected researchers would be deferred … pending further advice from the (attorneys) or others,” Kantelo wrote.
The next day, the researchers received their second official response from the UCSD review board. The board emphasized that its “primary concern” is “notification of study participants,” meeting minutes say.
Almost a month went by before the researchers were informed of a plan. In January, after the university’s winter break, Kantelo emailed them, saying he had spoken with a lawyer in the Office of the President.
Now Kantelo proposed “limited points of notifications to subjects” about the breach. He said the lawyers, compliance officers and review board members involved agreed with the language.
The letter would tell participants that Christie’s Place was no longer involved in the project and “UCSD is working with Christie’s Place to make sure that your confidential data is completely transferred to the UCSD study team and that any extra copies are destroyed.”
The letter would not mention the breach.
“Information about Christie’s Place should be limited to the above,” Kantelo wrote.
Stockman asked Kantelo to “justify” this decision.
“To be candid, the below recommendations contradict our training as researchers directly working with human subjects, the training on IRB (institutional review board), HIPAA, Privacy, and Compliance, and with the previous guidance we received” from the review board, Stockman wrote.
“Can you please provide your reasoning behind this recommended new course of action?”
Kantelo did not reply to that email or respond to other attempts by Stockman and her team asking for his guidance, clarification and reasoning.
Dr. Douglas Richman, Stockman’s colleague and the director of The HIV Institute at UCSD, told officials in January that he was “very uncomfortable” with the situation.
“The appearance of denying that something happened because a University lawyer thinks the head-in-sand approach without documentation will somehow protect our great University strikes me as risky, if what happened becomes public,” he wrote in an email.
The EmPower Women researchers felt they were “in a holding pattern” as they waited for answers. They sent a formal request to the UCSD Human Research Protections Program for an official statement explaining why they weren’t supposed to inform the participants about the breach.
“I don’t understand how the responsibilities to these vulnerable subjects are being fulfilled,” said C.K. Gunsalus, director of the National Center for Professional & Research Ethics, based on her review of inewsource’s records. “It appears the subjects are coming last in the considerations.”
The university said in its statement to inewsource that “liability was not a factor” in the institution’s actions. It stressed that “the privacy and protection of study participants were and continue to be paramount.”
Once UCSD representatives had fully reviewed the facts in March 2019, the statement said, they decided to tell women about the breach – but UCSD first wants to ensure that Christie’s Place returns all participant files to the university and destroys all the study data on its servers.
Asked Monday whether that has happened, a UCSD spokesperson said, “We expect Christie’s response imminently.”
We'll let you know when big things happen.