UCLA Health Cyber-Attack Affects MillionsFBI Investigates Assault That May Have Started Last Fall
The FBI is investigating the latest in a string of major cyber-attacks in the healthcare sector. UCLA Health confirms that information on 4.5 million individuals may have been exposed when hackers breached its network in an attack that appears to have begun last September.
UCLA Health says in a July 17 statement that it appears that "criminal hackers" accessed parts of the organization's computer network that contain personal and medical information. "UCLA Health has no evidence at this time that the cyber-attacker actually accessed or acquired any individual's personal or medical information," the statement notes.
UCLA Health includes four hospitals on two campuses - Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children's Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA - and more than 150 primary and specialty offices throughout Southern California.
The attack on UCLA Health is the latest of several massive hacker assaults on healthcare sector organizations in recent months. Most of the largest attacks so far this year have been on health insurers. Those include attacks against: Anthem Inc., which resulted in a breach impacting more than 79 million individuals; Premera Blue Cross, which affected about 11 million; and CareFirst Blue Cross Blue Shield, which impacted 1.1 million.
The largest recent hacker attack against a provider organization was last August, when Community Health Systems reported a breach affecting 4.5 million individuals. "Forensic investigators have said that an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission last year (see China Hackers Suspected In Health Breach).
UCLA Health is working with investigators from the FBI, and has hired private computer forensic experts to further secure information on network servers, its statement says.
"We take this attack on our systems extremely seriously," says James Atkinson, the interim associate vice chancellor and president of the UCLA Hospital System. "We have taken significant steps to further protect data and strengthen our network against another cyber-attack."
UCLA Health says it detected suspicious activity in its network in October 2014, and began an investigation with assistance from the FBI. At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information. "As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information. Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter."
The organization says there is no evidence yet that the hackers actually accessed or acquired individuals' personal or medical information. But because the organization cannot conclusively rule out the possibility that the attackers may have accessed the information, UCLA Health is offering all potentially affected individuals 12 months of free identity theft recovery and restoration services as well as additional healthcare identity protection tools.
In addition, individuals whose Social Security number or Medicare identification number was stored on the affected parts of the network will receive 12 months of free credit monitoring.
Healthcare as a Target
Privacy and security attorney Kirk Nahra of the law firm Wiley Rein says this latest breach affecting UCLA Health is just another sign "that clearly, the healthcare sector is under cyber-attack."
"People can no longer say, 'this won't happen to me.' It will happen to you," he says. Organizations not only need to beef up their security controls, but they also need to be on the lookout for fraud that involves stolen IDs, he says. "If UCLA Health's patients' records are stolen, then other healthcare providers down the street should be watching out" for fraudsters using the compromised data to obtain medical services or to commit other fraud, he warns.
Privacy and security attorney Ron Raether of the law firm Faruki Ireland & Cox P.L.L. says healthcare organizations are following financial institutions, data aggregators and retailers in becoming prime targets for hackers in search of valuable data that can be used to commit fraud.
"Hackers look for the most data for the least effort. Hospitals have a lot of information both current and historical without any real limits," he says. "The character of the data is of high value - not just treatment and the usual identifiers but also payment information and family history and other data which could be used in security questions."
Hospitals need to learn from lessons of other business sectors and invest in sound data governance practices, he adds.