On May 5th, 2015, University of California’s (UCLA) hospital determined that it had suffered a cyber breach to its network.
That breach has now been confirmed and it’s possible that this cyber attack will expose an estimated 4.5 million medical files from patients.
The breach stems from a major breach on federal employee records from the insurance company Anthem Inc., which affected 80 million Americans earlier this year.
The hospital provided a statement, identifying that an attacker had accessed the UCLA’s health records containing their patients’ valuable data. The data included names, addresses, birth dates, social security, medical numbers, medical conditions, test results and other sensitive data that you would not want leaving the hospital.
At this time, UCLA is working with the Federal Bureau of Investigation and stated:
“We continue to investigate the attack with help from third-party computer forensics experts. There are indications that the attacker may have had access to the UCLA Health network as early as September 2014. Our investigation is on-going.”
This cyber attack is raising questions about the ability for health and insurance companies and providers to keep electronic records of sensitive data encrypted and secure.
Similar to what we saw last year with big box retailers like Target, Home Depot, and Michaels, we are seeing the same trend in breaches with healthcare providers.
In this example, UCLA had not encrypted this patient data. Founder of Patient Privacy Rights, Dr. Deborah Peel told the LA times that “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links”.
At this point the university has no evidence that patient data was taken, but cannot be confirmed until the investigation is completed.
The lack of evidence does not mean that there was no sensitive information extracted from the system.
On Friday, the University of California has vowed to learn from this cyber attack and will increase its defense against cyber criminal activity across all of its universities and hospitals.
UCLA is now taking action by sending letters to affected patients, many also include their own staff, identify-theft protection services, and a year of credit card monitoring for those who had their SIN numbers or Medicare IDs stored on the network.
If you were part of the UCLA hospital or had any interaction, it’s highly recommended that you contact UCLA or visit www.myidcare.com/uclaprotection. There are Frequently Asked Questions about the breach and access to their identity theft options.