Hackers hit UCLA Health, access medical files of 4.5 million patients

UCLA Health, the administrative structure which governs the University of California, Los Angeles (UCLA) hospitals, has suffered a data breach, and personal and medical information of over 4.5 million patients has likely been accessed and possibly stolen by the attackers.

“On May 5, 2015, we determined that the attacker had accessed parts of the UCLA Health network that contain personal information, like name, address, date of birth, social security number, medical record number, Medicare or health plan ID number, and some medical information (e.g., medical condition, medications, procedures, and test results),” they shared in a notice.

There is apparently no evidence that the attackers actually acquired the personal or medical information in question, but its likely that they have, as the investigation – started in the wake of suspicious activities spotted in the UCLA Health network in October 2014 – revealed that they had accessed parts of the network that contain personal information, and that they managed to do this at least a month before the security team flagged the suspicious activities.

UCLA Health has begun sending out breach notices to potentially affected individuals: UCLA Health patients and providers who sought privileges at any UCLA Health hospital. They have also been offered 12 months of identity theft recovery and restoration services, and use of additional healthcare identity protection services via ID Experts – at no charge. Also, individuals whose Social Security number or Medicare identification number was stored on the affected parts of the network will receive 12 months of credit monitoring.

“UCLA Health has implemented new measures to protect the perimeter of our network,” the organization tried to reassure affected and unaffected patients. “We have engaged the services of a leading cyber-surveillance and security firm, which is now actively monitoring our network 24 hours a day, 7 days a week, for signs of suspicious activity. In addition, we have expanded the size of our internal security team. These are just a few of the important measures we are taking to help protect against another cyber attack.”

“While many are (deservedly!) pointing fingers at UCLA for not encrypting their data, few are focusing on a serious misperception by UCLA about the impact of this breach,” noted Adam Winn, senior product manager, OPSWAT.

“Whether or not credit card data was stolen is nearly irrelevant to the victims of the breach. The data stolen is more than sufficient to commit identity fraud and Medicare fraud, additionally the detailed information contained in these records will enable cybercriminals to launch very effective spear phishing campaigns against the victims and their friends and family.”

“This is another in a long series of recently discovered compromises to medical institutions Carefirst, Anthem, Bluecross and now the UCLA HS. At this point we probably have more breached medical databases than ones that haven’t been compromised,” pointed out Gavin Reid, VP of threat intelligence, Lancope. “The problem is that no one wants to spend additional money – and at hospitals you better be spending that money on a new medical equipment or something that saves lives.”

“Hospitals have mass adopted online record keeping but haven’t seen themselves as a target like a bank,” he noted. Unfortunately for them and their patients, hospital patient records are both an important data source for pharmaceutical and other medical research, and the records themselves often have very complete PII sets that are very valuable to identity thieves.

“The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection and response,” he concluded.