UCLA Health: Hackers May Have Accessed Personal Info on up to 4.5M
July 20, 2015 in News
Details of Breach
James Atkinson, interim president of University of California-Los Angeles Hospital System, said the health system in October 2014 noticed suspicious activity on one of its computer servers. UCLA Health began investigating the activity with assistance from the FBI.
In May, investigators determined that hackers had gained accessed to the UCLA Health computer network. Hackers could have gained access as early as September 2014, according to UCLA. Some of the affected information dates back as far as 1990 (Terhune, Los Angeles Times, 7/17).
Potentially affected information included:
- Birth dates;
- Certain medical information;
- Health plan or Medicare identification numbers;
- Medical record numbers;
- Names; and
- Social Security numbers (Conn, Modern Healthcare, 7/17).
Financial information does not appear to have been involved, according to Atkinson.
The data were not encrypted (Los Angeles Times, 7/17).
In a statement on Friday, UCLA Health said “there is no evidence that the attacker actually accessed or acquired individuals’ personal or medical information” (Emshwiller, Wall Street Journal, 7/17). However, However, University of California President Janet Napolitano in a later statement said, “[W]e cannot rule out that possibility.”
Individuals affected by the incident will receive 12 months of no-cost identity theft and other “health care identity protection tools.” Individuals whose Social Security or Medicare identification numbers could have been accessed will receive 12 months of no-cost credit monitoring (Modern Healthcare, 7/17).
According to the Times, some experts questioned UCLA’s lack of encryption, given other recent security incidents.
UCLA said that before the attack occurred it had been taking efforts and investing in boosting computer security. Officials also noted that UCLA had fended off previous attacks.
The UC system said it will boost defenses across its universities and hospitals. Napolitano said that the system has created an external cybersecurity group that will look at “security posture across the UC system” and “assess emerging threats and potential vulnerabilities” (Los Angeles Times, 7/17).