UCLA Health Breach Puts Data at Risk for 4.5M

Four-hospital UCLA Health said Friday that cyber criminals hit part of its network that contains the records of an estimated 4.5 million people.

“At this time, there is no evidence that the attacker actually accessed or acquired individuals’ personal or medical information,” UCLA Health said in an initial announcement, but followed with a later statement from UC President Janet Napolitano that added “we cannot rule out that possibility.”

The UCLA Health statement said the system first discovered suspicious activity on its network last October, but not until May 5 did it learn that the attackers had accessed parts of the network that contained “personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information.”

“Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014,” according to the statement.

The FBI and private computer forensic experts are investigating the breach, with the contractors working to further secure information on network servers, the statement said.

The healthcare system announced it will provide 12 months of free identity theft recovery and restoration services and other “healthcare identity protection tools” to affected patients. Those whose Social Security numbers or Medicare identification numbers were stored on the affected parts of the network also will receive 12 months of free credit monitoring, the announcement said.

In the past year or so, both U.S. providers and health plans have come under an increasing number of attacks by hackers, often appearing to be from outside the U.S., particularly from Eastern Europe and China. UCLA Health said its system is “under near-constant attack” and blocks “millions of known hacker attempts each year.”

In some cases, as at UCLA Health, it’s not been readily apparent the attackers were able to move the data out of the organization. In March, for example, Premera Blue Cross, Mountlake Terrace, Wash., announced a data security breach by hackers, potentially exposing the records of 11 million members, but the company was unable to determine whether any data had been removed.

Since September 2009, when HHS began publicly posting healthcare data breaches involving 500 or more individuals to its “wall of shame” website, 1,265 breaches, exposing the records of nearly 135 million people, have made the list.

This week, the Blue Cross and Blue Shield Association announced it would be providing perpetual credit monitoring and identity protection services to all of its member plans’ 106 million customers.