Records of 4.5 Million UCLA Health Systems Patients Hacked

Monday, July 20, 2015

One of the most effective ways for people to spread their personal information—Social Security numbers and the like—to strangers far and wide is apparently by giving it to their healthcare provider.

UCLA Health Systems became the latest to announce they had been hacked and this time 4.5 million patients were affected. Healthcare IT News said it was the fourth largest medical breach on record.

The attack occurred nearly a year ago, in September, was detected in October, was verified in May and made public last week. The FBI has reportedly been on the case for nine months.

Why the delay in notifying the public, considering that Dr. James Atkinson, UCLA Health interim president said, “We take this attack on our systems extremely seriously”?

The release does not mention a reason, but it wasn’t for lack of caring. “Our patients come first at UCLA Health and confidentiality is a critical part of our commitment to care,” he said in a press release.

UCLA Health spokesman Tod Tamberg took a shot at explaining the delay to CNN Money: “The process of addressing the technological issues surrounding this incident and the logistics of identifying and notifying the potentially affected individuals was time-consuming.”

The hackers had access to data containing names, addresses, dates of birth, medical record numbers, Medicare or health plan ID numbers and some medical diagnoses in addition to the aforementioned Social Security numbers.

As is the case in many of these giant cyberattacks, the information was not encrypted. Patient data is protected, so to speak, by the Health Insurance Portability and Accountability Act (HIPAA). It is not very effective.

Anthem Inc. revealed in February that 80 million of its patients had their personal information compromised. Premera Blue Cross announced in March 11 million patient records were exposed and Community Health Systems said 4.5 million patients were compromised a year ago. 

None of this is a surprise. The second annual “Data Breach Industry Forecast (pdf),” from the credit information services group Experian, noted, “Several factors suggest the healthcare industry will continue to be plagued with data breach headlines in 2015.” Those factors include an increased use of electronic medical records, new wearable technologies, the high value of the information, lax cyber security systems, and the lack of security in doctors’ offices, clinics and hospitals.

UCLA Health’s FAQ about the breach indicates a recognition that, perhaps, they had not taken the warnings completely to heart. In answer to the self-asked question “What security steps are you going to take to help protect against another attack?” UCLA Health responded:

“UCLA Health has implemented new measures to protect the perimeter of our network. We have engaged the services of a leading cyber-surveillance and security firm, which is now actively monitoring our network 24 hours a day, 7 days a week, for signs of suspicious activity. In addition, we have expanded the size of our internal security team.”

It comes a bit late for 4.5 million patients.

–Ken Broder


To Learn More:

Hackers Swipe Data of 4.5M at UCLA Health System in Massive Cyberattack (by Erin McCann, Healthcare IT News)

UCLA Health Hacked, 4.5 Million Victims (by Jose Pagliery, CNN Money)

UCLA Health System Reports Patient Data Breach; 4.5 Million May Be Affected (by Chad Terhune, Los Angeles Times)

UCLA Health Victim of a Criminal Cyber Attack (University of California, Los Angeles)

Hackers Access 80 Million Anthem Health Insurance Records (by Ken Broder, AllGov California)

Leave a comment