UC San Diego blocked researchers from informing participants of the EmPower Women study, a study looking at how women’s commitment to HIV treatment varied with their experiences, that their data had been breached. Human Immunodeficiency Virus attacks the host’s immune system and makes them more susceptible to infections and certain cancers. Official documents and correspondences uncovered by “inewsource” indicated that UCSD allegedly failed to act immediately and made it unduly difficult for researchers to contact the participants.
Although lead researcher Jamila Stockman contacted UCSD administrators in October 2018 about the issue, the university has only taken action in recent weeks. The data breach revealed personal information — including names, recorded conversations and other sensitive data — of the participants to all staff of the researchers’ partner organization, Christie’s Place.
A San Diego-based nonprofit organization to help women with AIDS and HIV, Christie’s Place worked with EmPower Women to recruit women to study how domestic violence, trauma, mental illness, and substance abuse played into women’s commitment to HIV treatment. EmPower researchers learned of the breach when a mental health professional at Christie’s Place informed them that the data was placed on a separate server.
The nonprofit allegedly placed the participants’ information into their own database as a means to “inflate” the number of patients receiving clinical care. By increasing their number of patients, Christie’s Place could request additional service support from San Diego County. However, putting the information on this database entailed that anyone working at the organization would be able to access it. The organization has denied knowing of any breach.
“Whenever Christie’s Place receives a complaint, especially a complaint about confidentiality, ethics or compliance, Christie’s Place investigates the matter and, if warranted, take appropriate action,” Interim Executive Director of Christie’s Place Ali Freedman told the UCSD Guardian in an email. “To the best of our knowledge there was no data breach, and we are cooperating with UCSD regarding the data.”
In October, EmPower Women researchers contacted the UCSD Institutional Review Board which instructed them to draft a letter to inform the participants of the breach while the IRB itself would conduct an investigation. Upon further instruction from Director of the UCSD Human Research Protections Program Kip Kantelo, the researchers also had to contact administrators in the UCSD Health Compliance Advisory Services and university attorneys.
However, in contrast to the IRB, the HCAS told researchers that the university was unable to investigate the breach because they lacked the jurisdiction. This began a limbo period in which researchers would email and hold back and forth meetings with university officials.
By early December 2018, Kantelo said he would contact the UC Office of the President while the IRB reiterated the importance of contacting the participants of the breach. It took another month after winter break for Kantelo to provide a plan.
Rather than telling the participants of the breach, this letter would only inform them that their data would be transferred to a different database. In essence, the lawyers, HCAS, and IRB told the researchers to omit any mention of a breach.
The researchers asked for a justification of the omittance, but Kantelo failed to respond to any of their requests. They also requested for the HRPP to provide an official statement to explain their actions. “Inewsource” reached out to the university to try to get that justification.
“Although IRB minutes discuss potential risk to UC San Diego, the university did not make any decision in this matter regarding liability concerns,” UCSD said in a statement to “inewsource”. “Indeed, liability was not a factor. Once facts were fully examined, the university acted to begin the notification process to participants via face to face meetings.”
By March 2019, UCSD had fully reviewed the case and decided to contact Christie’s Place. The organization would then transfer all pertinent EmPower information to the university and subsequently purge that data from their servers. Once this process is complete, UCSD will then inform the participants about the breach.
“UC San Diego has been working with Christie’s Place on ensuring the secure transfer of study and participant data from Christie’s Place to the university and the destruction of all study and participant data at Christie’s Place” Director of Media Relations for UC San Diego Health Scott LaFee told the Guardian. “The notification to participants regarding the EmPower Women study protocol and data breach will begin next week.”
As of May 23, Kip Kalento is no longer listed as the Director of the UCSD Human Research Protections Program on the program’s website. The Guardian reached out to HRPP, but they have declined to comment.
Photo courtesy of UC San Diego.