California’s UCLA Health recently announced that it was hit by a cyber attack that “may have put some personal information at risk.”
That’s a bit of an understatement — 4.5 million people’s personal information may have been exposed, including names, addresses, birthdates, Social Security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (medical conditions, medications, procedures and test results).
“At this time, there is no evidence that the attacker actually accessed or acquired the personal or medical information maintained on the impacted parts of the UCLA Health network, but we cannot conclusively rule out that possibility,” UCLA Health said in a statement.
The breach, which was discovered on May 5, 2015, may date back as far as September 2014. Those potentially affected include UCLA Health patients, as well as providers who sought privileges at any UCLA Health hospital.
“We take this attack on our systems extremely seriously,” Dr. James Atkinson, interim associate vice chancellor and president of the UCLA Hospital System, said in a statement. “Our patients come first at UCLA Health and confidentiality is a critical part of our commitment to care. We sincerely regret any impact this incident may have on those we serve.”
“We have taken significant steps to further protect data and strengthen our network against another cyber attack,” Atkinson added.
All those affected are being offered one free year of identity theft recovery and restoration services from ID Experts. Anyone with questions is advised to contact (877) 534-5972.
Clinton Karr, senior security strategist at Bromium, told eSecurity Planet by email that the UCLA Health breach should serve as a reminder that healthcare information security is in critical condition. “We have seen report after report of millions upon millions of records breached this year,” Karr said. “According to the Department of Health and Human services, more than 120 million people have been compromised in more than 1,110 separate breaches since 2009 – a third of the U.S. population.”
“These data breaches are symptomatic of a failure of healthcare organizations to invest in preventative measures, such as threat isolation,” Karr added.
Securonix chief scientist Igor Baikalov noted by email that UCLA had been hacked before, back in 2006. “Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted,” he said. “If our premium universities don’t learn from experience, what can we expect from other, less-learned organizations?”
And Jeff Hill, channel manager at STEALTHbits Technologies, said the chance of finding information on celebrities makes a Los Angeles-area health center an even more attractive target. “We love celebrity, but we love a fall from grace even more,” he said. “What anti-depressants is our favorite TV star taking? How about that 2 a.m. visit to the Emergency Room Saturday night to treat the facial bruise?”
“The most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc.,” Hill added.
A recent study by the Ponemon Institute found that 91 percent of healthcare organizations have suffered at least one data breach in the past two years, 39 percent have experienced two to five data breaches, and 40 percent have suffered more than five.
Still, the study found, half of all healthcare organizations have little or no confidence that they have the ability to detect all patient data loss or theft, and more than half don’t believe their incident response process has adequate funding and resources.